A storm hit the tech industry on December 10 when the Remote-Codeausführung CVE-2021-44228 in the popular Java logging library Log4J (all versions between 2.0 and 2.14.1) have become vulnerable. The software library helps developers keep track of changes in the applications they create – such as text files. The 0-day attack vulnerability Log4Shell was first discovered in Minecraft; it has Far-reaching consequences given the ubiquitous nature of the Log4J library, which leaves millions of applications vulnerable to attack. The vulnerability could be used by an attacker to take control of the vulnerability from a remote server.
Laut Acronis VP of Cyber Protection Research, Candid Wuest
“The Log4shell vulnerability in Log4j is definitely one of the five most serious vulnerabilities in the last decade that Remote Code Execution (RCE) has made possible. It is comparable to the EternalBlue used by WannaCry or the ShellShock Bash vulnerability. What makes it so serious is the ease with which it can be exploited remotely, as well as the large number of applications that use it. In addition, patching also takes longer – because not only can vulnerable software be updated, but a library that is included in many applications, so many different updates have to be installed. ”
Any application that uses the Java logging library is at risk due to the vulnerability, including cloud applications such as Steam, Apple iCloud, etc. In addition, according to a Lunasec researchers, simply changing the name of an iPhone can open the security hole in Apple’s servers. Candid Wuest said the list of affected applications is still growing as companies complete their analysis – affected applications already include Minecraft, Blender, LinkedIn, VMware and many more.
The vulnerability can lead to:
- Service interruption for malware execution
- Data leak
- Exfiltrate sensitive data
- Get initial access to systems
An increase in these attacks could lead to an increase in data breaches and new computers to be added to botnets for future attacks. According to experts, the vulnerability can allow hackers to control Java-based web servers and carry out remote code execution (RCE) attacks, which they can use to take control of affected systems. As the industry works to mitigate the vulnerability, Ivanti, Vice President Product Management, Chris Goettl, has identified some effective actions that can be taken:
“As far as companies go to fix this vulnerability, it’s a little more difficult. Typically, an organization relies on code scanners to identify the vulnerable code component or library. In this case, the code scanners are still in the running to catch up and properly detect the vulnerable library. For products already on the market, a company relies on network vulnerability scanning to identify vulnerable software, but these scanners struggle to consistently detect the vulnerability as they have to try to get a properly formed message send and monitor the logs for results. which may not be displayed continuously. The best guide is to continue to rely on your DevSecOps processes and vulnerability scans and complement this with more direct measures as there will likely be gaps in detection for some time.
There are several sources that compile lists of KB articles, safety notices, and how to reduce risk from vendors. Your organization should evaluate the vendors in your environment, determine if they have provided guidance, and take action immediately. ”
In addition, the Apache Foundation has updated Log4j version 2.15.0, published on December 6, 2021, to fix the vulnerability. Because the update does not fully address the vulnerability, the Apache Foundation has released version 2.16.0, which fully addresses the vulnerability and adds the development team’s backlogs to update essential sections of their code base that handle the logging. Organizations need to update the system as soon as possible to avoid malicious attacks on their software.
Subscribe to our newsletter
Get the latest updates and relevant offers by sharing your email.
The post What is all the controversy surrounding Log4Shell? appeared first on Nach Welt.