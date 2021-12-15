ContributorsPublishersAdvertisers
Log4Shell Vulnerability: How DevSecOps Pros Can Mitigate Risk

By Sean Michael Kerner
 4 days ago

Cover picture for the articleA critical vulnerability in the open-source Apache Log4j library that impacts countless applications and systems around the world was publicly reported on Dec. 10. According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Log4j vulnerability, known as Log4Shell, could enable "an unauthenticated remote actor [to] exploit this vulnerability to...

CBS News

Nightmare before Christmas: What to know about the Log4j vulnerability

A vulnerability living inside a Java-based software known as "Log4j" shook the internet this week. The list of potential victims encompasses nearly a third of all web servers in the world, according to cybersecurity firm Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world's most popular video games, Minecraft count themselves among the slew of tech and industry giants running the popular software code that U.S. officials estimate have left hundreds of millions of devices exposed.
SOFTWARE
TechRepublic

Critical Log4Shell security flaw lets hackers compromise vulnerable servers

Apache has patched the vulnerability in its Log4j 2 library, but attackers are searching for unprotected servers on which they can remotely execute malicious code. A serious security vulnerability in a popular product from Apache has opened the floodgates for cybercriminals to try to attack susceptible servers. On Thursday, a flaw was revealed in Apache's Log4j 2, a utility used by millions of people to log requests for Java applications. Named Log4Shell, the vulnerability could allow attackers to take control of affected servers, a situation that has already prompted hackers to scan for unpatched systems on which they can remotely run malicious code.
SOFTWARE
ZDNet

CISA: Federal agencies must immediately mitigate Log4J vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive on Friday, requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for the Apache Log4j vulnerabilities. If they can't patch, they're required implement other appropriate mitigation measures. . CISA previously said federal civilian agencies would...
TECHNOLOGY
TechSpot

Many Java-based applications and servers vulnerable to new Log4Shell exploit

Why it matters: Earlier this week, developers of the open-source security platform LunaSec discovered a zero-day vulnerability affecting a widely used Java-based logging library. The vulnerability, identified in a blog post as Log4Shell (CVE-2021-44228), can give third parties the ability to execute malicious code on vulnerable systems. The vulnerability's discovery...
SOFTWARE
IN THIS ARTICLE
#Infrastructure Security#Software Security#Risk Mitigation#Cisa#Log4j#Log4shell#Web Application Firewall#Waf#Cve 2021 44228#Secops#Devops#Ci
TechRadar

Here's how burnout can put the security of your organization at risk

Perhaps the allure of working from home has worn off or employees are just finding themselves in a slump but across industries, workers are now reporting extraordinarily high burnout which puts them and the security of their organizations at risk. To better understand this burnout phenomenon, 1Password has released its...
ECONOMY
freightwaves.com

Mitigating financial risk by automating spot transactions

This has been an unparalleled year for the logistics industry. Thanks to a combination of surging consumerism and continuing pandemic-related stressors — including equipment delays and the ongoing driver shortage — carriers have struggled to scale up and meet the demands of the market. With capacity severely strained throughout 2021, shippers were faced with fierce competition, delivery delays and historically elevated rates.
ECONOMY
paloaltonetworks.com

How Does DevSecOps Fit Into Your Digital Transformation?

"Going digital" is a huge challenge in the best of times, but thanks to increasingly competitive markets, more technically savvy customers, and a few... black swan events sprinkled around, it can feel more complicated than ever. But companies are making it work. If there's one thing that the COVID-19 pandemic has taught us, it's that we can all adapt when we need to, but that doesn't make the process any easier.
TECHNOLOGY
GovExec.com

Securing the Hybrid Office: Mitigating Hidden Network Risks

This summer, the Department of Defense Office of Inspector General released an eye-opening report warning services about a new threat to printing. The report examined additive manufacturing systems, but the concerns it raised are not unique to 3D printing alone. PCs, laptops, and mobile devices get most of the attention during endpoint security discussions, but others -- like printers -- are just as important. Too many organizations do not properly address printers when discussing security strategies, but if left unsecured they present an enticing opportunity for hackers to attack networks and steal valuable information. During this webcast, presented by HP, we’ll discuss why it’s so crucial to include oft-neglected devices in holistic risk assessments. We’ll also explore mitigation efforts at FedCiv agencies and talk about how to enact a comprehensive security plan that includes protection of the network as a whole -- on site or in work-from-home environments.
CELL PHONES
dig-in.com

How technology can help insurers evolve, manage risk

In 2021, the insurance industry reckoned with the broad impact of the COVID-19 pandemic. Appropriately, 2022 will need to be the year that agencies and carriers pivot from reacting and surviving to implementing new strategies for success. According to Deloitte’s 2021 insurance industry outlook, technology has been vital in helping...
TECHNOLOGY
cfodive.com

How to improve your controls and mitigate audit risk

As companies continue to work in a virtual or hybrid setting, this type of environment creates challenges and risk when it comes to the audit process. Spreadsheets and other manual processes used as a primary financial close tool create inefficiencies and increase risk, leading to problems cropping up in audits.
ECONOMY
itprotoday.com

What Is Application Security?

Application security is a broad term that describes any number of security measures at the application level to prevent data or code from compromise. Security measures can take the form of hardware, software or procedures to identify or minimize vulnerabilities like data leakage, cryptographic issues, CRLF and SQL injections, code quality, improper input validation and cross-site scripting.
COMPUTERS
threatpost.com

SAP Kicks Log4Shell Vulnerability Out of 20 Apps

SAP’s still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality. SAP has identified 32 apps that are affected by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based logging library...
SOFTWARE
itprotoday.com

What Is Serverless Computing?

Serverless computing is an application deployment paradigm that allows applications to run on-demand, consuming only the resources required to execute them. In contrast, with traditional computing models, applications operate (and consume resources) constantly, even when they are not handling user requests. Applications deployed using a serverless computing strategy are usually...
SOFTWARE
gitconnected.com

Log4Shell: Lua + Nginx Mitigation

Prevent requests from reaching a vulnerable java application. If you were a sysadmin on any system with a java backend using log4j, this CVE may have ruined your Friday evening. Here are some details:. Blocking the bad traffic pattern is a quick win to buy some time to get the...
SOFTWARE
aithority.com

CIGNEX Helps Organizations Detect, Investigate And Mitigate Attacks From Log4j Vulnerability

CIGNEX is actively responding to the Log4j CVE-2021-44228 vulnerability – The vulnerability in Log4j software might offer hackers unrestricted access to computer systems & applications. CIGNEX, a leading provider of Digital Transformation through Open Source, Cloud and Automation technology solutions is actively responding to the Log4Shell vulnerability in the...
SOFTWARE
CSO

4 ways to properly mitigate the Log4j vulnerabilities (and 4 to skip)

The IT security community has been hard at work for the past week to investigate a critical and easy-to-exploit vulnerability in a hugely popular Java component called Log4j that's present in millions of applications and products. Since the flaw was first disclosed and attackers started exploiting it, security researchers have discovered additional security issues in Log4j and various ways to bypass some of the proposed mitigations, leaving security teams scrambling for the correct ways to protect their applications, servers and networks.
SOFTWARE
helpnetsecurity.com

Log4Shell update: Attack surface, attacks in the wild, mitigation and remediation

Several days have passed since the dramatic reveal of CVE-2021-44228 (aka Log4Shell), an easily exploitable (without authentication) RCE flaw in Apache Log4j, a popular open-source Java-based logging utility that’s seemingly used by most enterprise applications out there. The existence of the vulnerability and the public release of PoCs exploiting...
SOFTWARE
itprotoday.com

2021 State of Continuous Delivery Report Highlights DevOps Challenges

More often than not, developers today are also engaged in DevOps processes, according to the 2021 State of Continuous Delivery Report. The 33-page report was sponsored by the CD Foundation, which was founded in 2019 and itself is part of the Linux Foundation. In the era before DevOps became common,...
SOFTWARE
itprotoday.com

Review the Top 3 Data Storage Industry Trends of 2021

More data, in more locations, used by more people on more devices. These realities have forced organizations to reevaluate their approaches to storage. In 2021, that meant weighing cloud-focused storage options and taking data security much more seriously. Here are the data storage industry trends that resonated with users. When...
