InfoWorld Security
Last weekend, the internet caught fire, and it is still unclear just how many developers with fire extinguishers will be needed to bring it under control. There was a set of first responders on the scene, however: largely unpaid maintainers or developers working in their spare time to patch vulnerabilities, issue guidance, and provide some much-needed clarity among the chaos.
On December 9, the Apache Foundation released an emergency update for a critical zero-day vulnerability called Log4Shell which had been identified in Log4j, an open source logging framework used in all kinds of Java applications. The bug, identified as CVE-2021-44228, allows an attacker to execute arbitrary code on any system that uses the Log4j library to write out log messages. It was immediately rated with the maximum severity of 10 on the CVSS scale.
Read the original article: