Critical Fault with Log4j Software

Uploaded on 2021-12-13 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Attackers are actively exploiting a critical vulnerability in Apache Log4j, a logging library that's used in potentially millions of Java-based applications, including web-based ones. Organisations should immediately review if their apps, especially the publicly accessible ones, use the library and should implement mitigations as soon as possible.

This recently discovered vulnerability in Log4j 2 is reportedly being actively exploited, putting widely used applications and cloud services at high risk.

Researchers discovered a critical vulnerability in Apache Log4j library. Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it. Now the Apache Software Foundation has released fixes to contain an exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponised to execute malicious code and allow a complete takeover of vulnerable systems.

Log4j is used as a logging package in a variety of different popular software by companies including Amazon, Apple iCloud, ElasticSearch, Steam, Tesla, Twitter, and video games such as Minecraft. 

This  problem concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the Apache Foundation said in an advisory. "From Log4j 2.15.0, this behavior has been disabled by default."

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. 

Given these problems with Log4j in enterprise IT and DevOps, it is vital for users to address the flaw immediately. 

The Israeli cyber security firm Cybereason has released a fix called Logout4Shell that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack. "This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," Security expert Marcus Hutchins said in a tweet.

CERT.NZ:   Hacker News:   Marcus Hutchins:    Kaspersky:    Techtarget:   Logging Apache:   CSO Online:  

You Might Also Read: 

How To Optimize The DevSecOps Pipeline:

 

« Britain's New Deals On Digital Trade & Cyber Security
Best Programming Languages For Cyber Security In 2022 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

AVG Technologies

AVG Technologies

AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats.

Salt Communications

Salt Communications

Salt communications is a global leader in secure communications. Our bespoke platform is the secure communications solution that uniquely gives complete control to our customers.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

ADL Process

ADL Process

ADL Process offer secure data destruction, certified product destruction and responsible electronics recycling services to businesses and institutions.

Char49

Char49

Char49 specialize in Penetration Testing, Red Team Assessment, Social Engineering and Security Research.

Bfore.ai

Bfore.ai

Stop future attacks, today. Bfore.ai is an operational threat intelligence feed to add predictive technology to your security infrastructure.

AutoRABIT

AutoRABIT

AutoRABIT provides DevSecOps tools built specifically for Salesforce developers to increase release velocity, produce consistently high-quality code, and enhance data security.

Celera Networks

Celera Networks

Celera Networks is a managed services provider specializing in cybersecurity, cloud and managed IT services.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

Data Defenders

Data Defenders

Data Defenders provide information security technology solutions that empower consumers, businesses and governments with safe and secure IT and cybersecurity infrastructures.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group) is a USA based digital transformation company with expertise in Mobile, Cloud, Web, IoT, AR, RPA, Cyberseurity and AI Technologies.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.

Adsigo

Adsigo

Adsigo AG is your reliable and professional partner for all topics concerning PCI certification, compliance and information security.

Potech

Potech

Potech provides masterful services in Information & Technology and Cybersecurity to multiple markets across the world.