Second security flaw found in Log4Shell software — what this means for you

server rack
(Image credit: Pexels)

The Log4Shell flaw that has website administrators rushing to patch servers even as criminals ramp up attacks now has a sibling. 

A second flaw has been found in the same logging utility, one that could crash websites, and the utility's developers have rushed out a patch that fixes both flaws.

The new flaw, catalogued as CVE-2021-45046  but which doesn't have a catchy name, abuses the same functions as Log4Shell, otherwise known as CVE-2021-44228. 

It lets attackers cause a denial of service — i.e., a crash — in Log4j, the same utility being exploited by Log4Shell. That in turn might cause websites using Log4j to malfunction or crash.

The initial patch to stop Log4Shell, version 2.15.0 of Log4j, doesn't stop this new attack. So the Apache Software Foundation, which maintains Log4j, yesterday (Dec. 13) released Log4j version 2.16.0, which disables one of the functions that make the two flaws possible and removes the other function.

Crashing Log4j likely won't lead to the same devastating effects as Log4Shell does. The earlier flaw lets attackers slip malicious code into or steal sensitive information from any web server that contains Log4j somewhere in its software. 

This new flaw might knock a web server offline, which is annoying and can be expensive if business transactions are halted, but most likely won't result in permanent damage.

What to do about Log4Shell

Hundreds of thousands, if not millions, of web servers are believed to be impacted by Log4Shell, and all versions of the Java runtime environment are affected. The only permanent solution is to update Log4j. 

The Netherlands' National Cyber Security Center  has posted a list of enterprise software thought to be vulnerable to Log4Shell, which also includes software that has been found to be not vulnerable. 

Among the well-known names on the list are Amazon, Broadcom, Cisco, Citrix, Dell, HPE, Huawei, IBM, McAfee, Microsoft, Netflix, Oracle, Red Hat, Siemens and Trend Micro.

As detailed in our earlier story, most Windows PCs, Macs and mobile devices are not vulnerable to attacks using Log4Shell unless the devices are running the Java runtime environment. (Microsoft's December Patch Tuesday updates don't address it.)

Gamers running Minecraft Java Edition do of course run Java, and they got a patch for Minecraft last week. Yesterday, Bitdefender  reported seeing two campaigns that were putting ransomware and remote-access-Trojans on Windows machines that do have Java installed.

But again, neither Windows nor macOS ship with Java installed. Linux desktops are more vulnerable, as many of them do have it. Ubuntu has already released patches fixing Log4Shell, and other Linux distributions have probably also done so.

However, because of the sheer volume of financial and personal data held in web-facing servers, such as credit-card and banking information, email messages, login credentials, photos and other personal details, the risk of data breaches, identity thefts, credit card thefts and account hijackings has probably never been higher.

Likewise, criminals may use Log4Shell to corrupt websites to distribute malware or use them in phishing attacks to steal your personal information.

Now is a perfect time to start using one of the best password managers, to install some of the best antivirus software, to freeze your credit files and to check your credit reports.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Image of technical screen displaying system hacked warning
SonicWall VPN hit with second vulnerability
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
How to disable the Windows key
Microsoft patches over 160 security flaws including 3 active zero days — update your PC right now
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Online Security
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
Latest in News
Nintendo Switch 2 promo image
Nintendo Switch 2 just tipped for three major upgrades — here's what we know
A still from "John Wick" spinoff "Ballerina" featuring Ana de Armas in a club
'John Wick' spinoff 'Ballerina' just got a new trailer — and I can't wait for it to hit theaters
Great Celebrity Bake Off 2025
How to watch ‘The Great Celebrity Bake Off' 2025 online – episode 1 streaming now
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
huawei pura x
This might be the most unique foldable phone design — and it's not from Samsung
Large group of protesters in Turkey following Instanbul mayor's arrest
Turkey sees huge VPN usage spike amid reports of social media crackdown