It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Recently uncovered software flaw - "most critical vulnerability of the last decade"

page: 1
14

log in

join
share:

posted on Dec, 11 2021 @ 12:34 PM
link   
Well, here's a kick in the teeth for internet security!

It's being patched as we speak, but how many small/medium websites and web application programmers will miss this dangerous flaw in Apache Services?

www.theguardian.com...


Log4Shell grants easy access to internal networks, making them susceptible to data loot and loss and malware attacks



A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.



The flaw, dubbed “Log4Shell”, may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.



The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on 24 November by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.


Stay safe!


edit on 11/12/2021 by Encia22 because: Just tinkering



posted on Dec, 11 2021 @ 12:51 PM
link   
It made work interesting yesterday.

cve-2021-44228-log4j-rce-0-day-mitigation

Affected:
In all Log4j versions >= 2.0-beta9 and below 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution.

Mitigation/Remediation:
Update to newest version
If updating to the latest version is not possible, customers can also mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or by removing the JndiLookup class from the classpath;
Or by adding the JMV flag "-Dlog4j2.formatMsgNoLookups=true"


Thankfully, most of our systems were unaffected (and none were exploited before remediation.)


edit on 11-12-2021 by Elton because: (no reason given)



posted on Dec, 11 2021 @ 12:56 PM
link   
a reply to: Elton

Thanks for the link... I'll pass it around my SOC team!




posted on Dec, 11 2021 @ 05:22 PM
link   

originally posted by: Elton
It made work interesting yesterday.

cve-2021-44228-log4j-rce-0-day-mitigation

Affected:
In all Log4j versions >= 2.0-beta9 and below 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution.

Mitigation/Remediation:
Update to newest version
If updating to the latest version is not possible, customers can also mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or by removing the JndiLookup class from the classpath;
Or by adding the JMV flag "-Dlog4j2.formatMsgNoLookups=true"


Thankfully, most of our systems were unaffected (and none were exploited before remediation.)



Phew, thanks for pointing out this affects Log4j/Java ecosystem and not, say, httpd.

Had me nervous for a second.




top topics
 
14

log in

join