Now that log4Shell cats are no longer there, researchers are experimenting with all the different ways the vulnerability could be used in the wild.
This includes two recent examples of how vulnerabilities in log4j open-source Java tools can be used on iPhones or Tesla cars to compromise servers that communicate with endpoints.
A Dutch researcher demonstrated how changing the name of an iPhone to a string would force a server on the other end to try to access a specific URL. An unknown researcher did the same with a Tesla car by posting their results to the anonymous Log4jAttackSurface Github repository.
Growing risk
Theoretically, a malicious actor could host malware on a server, and then by changing the name of an iPhone, apple's servers could force Apple's servers to access the server's URL and download the malware.
This is a long-term goal, though, as any well-maintained network can prevent such attacks relatively easily. In addition, The Verge further explains that there is no indication that this approach will lead to any broader compromises among these companies.
Extremely fragile
Log4Shell is the name of a vulnerability recently discovered in the Log4j Java tool, which some researchers believe could handle millions of devices for event logging.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), described the flaw as "one of the most serious" she's seen throughout her career, "if not the most serious."
Easterly explains: "We expect the vulnerability to be widely exploited by sophisticated players, and we have limited time to take the necessary steps to reduce the likelihood of damage." ”
It is tracked as CVE-2021-44228 and allows malicious actors to run almost any code. Experts warn that the skills required to exploit the vulnerability are very low and urge everyone to patch Log4j as soon as possible.
Organizations that use Log4j in their software should immediately upgrade it to the latest 2.15 version, which is available from Maven Central.
![HP warns to find fake "Microsoft Win11 upgrade site"[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)