Recently uncovered software flaw -

posted on Dec, 11 2021 @ 12:34 PM

link

Well, here's a kick in the teeth for internet security!

It's being patched as we speak, but how many small/medium websites and web application programmers will miss this dangerous flaw in Apache Services?

www.theguardian.com...

Log4Shell grants easy access to internal networks, making them susceptible to data loot and loss and malware attacks

A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.

The flaw, dubbed “Log4Shell”, may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on 24 November by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

Stay safe!

edit on 11/12/2021 by Encia22 because: Just tinkering

Elton

posted on Dec, 11 2021 @ 12:51 PM

link

It made work interesting yesterday.

cve-2021-44228-log4j-rce-0-day-mitigation

Affected:
In all Log4j versions >= 2.0-beta9 and below 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution.

Mitigation/Remediation:
Update to newest version
If updating to the latest version is not possible, customers can also mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or by removing the JndiLookup class from the classpath;
Or by adding the JMV flag "-Dlog4j2.formatMsgNoLookups=true"

Thankfully, most of our systems were unaffected (and none were exploited before remediation.)

edit on 11-12-2021 by Elton because: (no reason given)

Encia22

posted on Dec, 11 2021 @ 12:56 PM

link

a reply to: Elton

Thanks for the link... I'll pass it around my SOC team!

SleeperHasAwakened

posted on Dec, 11 2021 @ 05:22 PM

link

originally posted by: Elton
It made work interesting yesterday.

cve-2021-44228-log4j-rce-0-day-mitigation

Affected:
In all Log4j versions >= 2.0-beta9 and below 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution.

Mitigation/Remediation:
Update to newest version
If updating to the latest version is not possible, customers can also mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or by removing the JndiLookup class from the classpath;
Or by adding the JMV flag "-Dlog4j2.formatMsgNoLookups=true"

Thankfully, most of our systems were unaffected (and none were exploited before remediation.)

Phew, thanks for pointing out this affects Log4j/Java ecosystem and not, say, httpd.

Had me nervous for a second.

Recently uncovered software flaw - "most critical vulnerability of the last decade"