One year ago, a newly discovered zero-day vulnerability rocked the world of cybersecurity, but 12 months on, there are clear signs that vital lessons haven't been learned.
The catchily-titled CVE-2021-44228 was and still is an easy to exploit vulnerability in the widely used Java logging library Apache Log4j, which enables attackers to remotely gain access to and take control of machines and servers.
Upon discovery, it was a massive concern, because the ubiquitous nature of Log4j meant it was (and is) embedded in a vast array of applications, services and enterprise software tools that are written in Java and used by organizations and individuals around the world.
Such was the danger posed by Log4j that the National Institute of Standards and Technology (NIST) gave the vulnerability a Common Vulnerability Scoring System (CVSS) score of 10 -classing it as a highly severe, critical vulnerability -and within hours of disclosure, it was being exploited by cyber criminals.
Also: Cybersecurity: These are the new things to worry about in 2023
No wonder CISA chief Jen Easterly described the Log4j vulnerability as "one of the most serious that I've seen in my entire career, if not the most serious"