Podcast-Folge · The GitHub Podcast · 21.10.2025 · 31 Min.

In this episode of the GitHub Podcast, Abby sits down with Felix Reda, Director of Developer Policy at GitHub, and Christian Grobmeier, a longtime Log4J maintainer, to reflect on the aftermath of the ...

In this episode of the GitHub Podcast, Abby sits down with Felix Reda, Director of Developer Policy at GitHub, and Christian Grobmeier, a longtime Log4J maintainer, to reflect on the aftermath of the…

The Lazarus Group was found targeting the Log4Shell vulnerability (CVE-2021-44228) in a new series of attacks named “Operation Blacksmith.” According to a new advisory published by Cisco Talos security researchers, the attacks leveraged the Log4Shell flaw in publicly facing VMWare Horizon servers for initial access. This campaign consists of continued opportunistic targeting of enterprises around The Lazarus Group was found targeting the Log4Shell vulnerability (CVE-2021-44228) in a new series of attacks named “Operation Blacksmith.”

In December 2021, the cybersecurity community was alerted to four critical vulnerabilities in the Log4j library, collectively known as Log4Shell. These vulnerabilities were promptly addressed with patches. However, it has since come to light that additional vulnerabilities, specifically a denial of service (DoS) and a data leak, were not widely recognized at the time. It wasn't until September 2022 that the vendor officially acknowledged these vulnerabilities, classifying them as part of the initial four bugs. Consequently, no specific patches or new Common Vulnerabilities and Exposures (CVE) identifiers were assigned to these additional issues. This revelation has significant implications for the cybersecurity landscape. Log4j is a ubiquitous logging library used in numerous Java applications, making its vulnerabilities a widespread concern. The initial Log4Shell vulnerabilities were critical due to their potential for remote code execution (RCE), but the overlooked DoS and data leak vulnerabilities are also substantial threats. DoS attacks can disrupt services, while data leaks can expose sensitive information, both of which can have severe operational and reputational impacts. The vendor's delayed acknowledgment and the lack of new CVEs or patches for these vulnerabilities raise concerns about the thoroughness of initial vulnerability assessments. It underscores the necessity for organizations to conduct comprehensive security evaluations rather than relying solely on vendor-provided patches. Moreover, the absence of new CVEs means that these vulnerabilities might not be adequately tracked or mitigated in vulnerability databases, potentially leaving systems exposed to these risks. From an expert perspective, this situation highlights the importance of continuous monitoring and updating of software components. Cybersecurity professionals must remain vigilant and proactive in identifying and mitigating vulnerabilities, even those not immediately recognized or patched by vendors. It also emphasizes the need for robust vulnerability management processes that include thorough testing and verification beyond initial vendor patches. In conclusion, the discovery of overlooked vulnerabilities in Log4j serves as a critical reminder of the complexities involved in vulnerability management. It calls for a more rigorous approach to identifying and addressing security issues, ensuring that all potential vulnerabilities are accounted for and mitigated effectively.

Une seconde faille de sécurité dans Log4j commence à être exploitée par les pirates - tandis qu'un troisième bug critique permet d'exploiter la faille de sécurité Log4Shell qui affole les experts en sécurité depuis un peu plus d'une semaine.