Vendors with susceptible versions of log4j code have been hard at work since Friday developing workarounds, patches and updated versions of their products that eliminate the risk of exploitation. “With a zero-day disclosure like this one, attackers have an advantage while software maintainers scramble to develop the fix.”
“Normally a vulnerability is reported privately to the software maintainers, who then have time to repair the issue and release an update, so attackers don‘t gain a temporary advantage,” VMware wrote in a frequently asked questions (FAQ) document posted to its website. Vulnerable code can be found in products from some of the most prominent technology vendors like Cisco, IBM and VMware, and as well as one serving the MSP community like ConnectWise and N-able. The critical vulnerability disclosed last week in Java logging package log4j sent shockwaves throughout the industry given how frequently that open-source library is used to develop enterprise software.
0 kommentar(er)
