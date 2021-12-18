ContributorsPublishersAdvertisers
Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability

By noreply@blogger.com (Ravie Lakshmanan)
 4 days ago

Cover picture for the articleThe issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack. Tracked as CVE-2021-45105...

The Independent

log4j: Tech companies scramble to fix software vulnerability that ‘threatens entire internet’

Tech companies across the world are under pressure to fix a software vulnerability that many cybersecurity experts are calling one of the worst to be discovered in recent years.The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build.The software flaw was first noticed on sites catering to the popular video game Minecraft, and was officially reported to Apache on 24 November by Chen Zhaojun of Alibaba, according to Crowdstrike. But it soon became clear that the vulnerability had far-reaching implications since the software is ubiquitous, used...
SOFTWARE
healthitsecurity.com

Severe Apache Log4j Vulnerabilities Could Result in Healthcare Cyberattacks

Threat actors can exploit Log4j and execute arbitrary code on a compromised system or device. Researchers first discovered the remote code execution (RCE) vulnerability in November. However, proof-of-concept exploit code has been circulating on social media recently, making the vulnerability a higher priority. “The exact extent to which Log4j is...
SOFTWARE
PC Magazine

Countless Serves Are Vulnerable to Apache Log4j Zero-Day Exploit

A critical vulnerability has been discovered in Apache Log4j 2, an open source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers. The Apache Software Foundation (ASF) has identified the vulnerability as CVE-2021-44228; LunaSec has dubbed...
SOFTWARE
The Hacker News

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released

The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "incomplete in certain non-default configurations." The second vulnerability — tracked as CVE-2021-45046 — is rated 3.7 out of a maximum of...
SOFTWARE
kaspersky.com

Critical vulnerability in Apache Log4j library

Various information security news outlets reported on the discovery of critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). Millions of Java applications use this library to log error messages. To make matters worse, attackers are already actively exploiting this vulnerability. For this reason, the Apache Foundation recommends all developers to update the library to version 2.15.0, and if this is not possible, use one of the methods described on the Apache Log4j Security Vulnerabilities page.
SOFTWARE
paloaltonetworks.com

Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

This post is also available in: 日本語 (Japanese) On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.15.0-rc2) of Apache log4j 2 for all systems.
SOFTWARE
inforisktoday.com

Already Compromised by Apache Log4j? Check Before You Patch

Multiple security researchers have now spotted several instances of threat actors exploiting the Apache Log4j vulnerability by deploying malwares including Muhstik and Mirai botnets or by scanning for vulnerable servers. Responders are advised to check for compromise before they implement fixes. The vulnerability, tracked as CVE-2021-44228 and detected in the...
SOFTWARE
siliconangle.com

Criminal groups continue to exploit Apache Log4j vulnerability with ransomware and malware

Criminal groups and even suspected state-sponsored hacking groups continue to exploit a serious vulnerability in Apache Log4j with ransomware and other forms of malware. According to research from Check Point Software Technologies Ltd., the number of attacks seeking to take advantage of the vulnerability continues to rise, from 40,000 attacks on Dec. 11 through to more than 800,000 attacks on Dec. 13. The number of variants being used to exploit the vulnerability has also increased to 60 over the same period.
PUBLIC SAFETY
paloaltonetworks.com

Apache Log4j Vulnerability Information and Resources

On December 9, a remote code execution (RCE) vulnerability in Apache Log4j 2 was identified as being exploited in the wild. Apache Log4j is an open-source logging utility that is leveraged within numerous Java applications around the world. The release of public proof-of-concept (PoC) code and subsequent investigation revealed that the exploitation was incredibly easy to perform. By submitting a specially crafted request to a vulnerable system, the attacker can instruct the system to download and subsequently execute a malicious payload. Due to its recent discovery, there are still many on-premises and cloud servers that have yet to be patched.
SOFTWARE
wpguynews.com

All In One SEO Plugin Patches Severe Vulnerabilities

The All In One SEO plugin has patched a set of severe vulnerabilities that were discovered by the Jetpack Scan team two weeks ago. Version 4.1.5.3, released December 8, includes fixes for a SQL Injection vulnerability and a Privilege Escalation bug. Marc Montpas, the researcher who discovered the vulnerabilities, explained...
COMPUTERS
PC Perspective

Hear Ye! Hear Ye! Patch Ye Thine Apache; For Log4j Safety

Log4j Version 2.16 Disables The Java Naming and Directory Interface By Default. Rejoice for there is now a way to make your systems somewhat less vulnerable to the Log4Shell vulnerability in the form of a new patch from Apache. The previous 2.15 patch disabled the JNDI message lookups that are the heart of this vulnerability but it did not completely disable JNDI completely and so some software could well be exposed. The new 2.16 patch disables it completely, thus completely removing the key though not the lock as JNDI still remains susceptible to this hack if ever enabled again.
COMPUTERS
CSO

Second Log4j vulnerability carries denial-of-service threat, new patch available

A second vulnerability impacting Apache Log4j has been discovered as the security industry has scrambled to mitigate and fix a severe zero-day Java library logging flaw (CVE-2021-44228) dubbed Log4Shell. The new vulnerability, CVE 2021-45046, could allow attackers to craft malicious input data using a JNDI lookup pattern resulting in a denial-of-service (DoS) attack, according to the CVE description.
SOFTWARE
paloaltonetworks.com

Addressing Apache Log4j Vulnerability with NGFW and Cloud-Delivered Security Services

Learn how our Palo Alto Networks customers can help protect against the critical Apache Log4j vulnerability with our NGFW by using automated preventions and best practices. The Apache Log4j library allows for developers to log various data within their applications. In certain circumstances, data being logged can originate from user input. Should this user input contain special characters, as shown in Step 1 of the above example, a Java method lookup can be called, as shown in Step 2. This method can be redirected to download and execute a Java class hosted on an attacker's external server in Step 3. The malicious Java class is then executed on the victim server that uses the vulnerable log4j instance. For a complete breakdown, description and most up-to-date information on the vulnerability, check out the detailed report from our Unit 42 team.
SOFTWARE
Bank Info Security

CISA to Agencies: Patch Log4j Vulnerability 'Immediately'

In an emergency directive issued on Friday regarding the explosive Apache Log4j vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency has required federal civilian departments and agencies to immediately patch their systems or implement appropriate mitigation measures. CISA previously gave agencies until Dec. 24 to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog.
TECHNOLOGY
Bank Info Security

Time to Patch Log4j Again; Apache Releases 2.17 Fixing DoS

Apache has released Log4j version 2.17 to fix yet another high-severity denial-of-service vulnerability - tracked as CVE-2021-45105 with a CVSS score of 7.5 - that affects all versions from 2.0-beta9 to 2.16.0. The latest version introduced by the nonprofit Apache Software Foundation addresses a denial-of-service flaw introduced in 2.16 and...
COMPUTERS
mspoweruser.com

Microsoft Azure Sentinel can now detect Apache Log4j vulnerabilities

Microsoft Azure Sentinel is Microsoft’s native Security Information and Event Management (SIEM) tool built within Azure. Azure Sentinel enables SecOps teams to see and stop threats before they cause any harm to the organizations. Azure Sentinel is powered by AI to reduce noise and Microsoft claims that you can see an overall reduction of up to 90 percent in alert fatigue.
SOFTWARE
siliconangle.com

As Apache releases new patch, researchers discover new Log4j attack vector

Security researchers have discovered a new attack vector that exploits the Log4j vulnerability as the Apache Foundation has released a new patch to address the overall issue. Discovered late last week by researchers at Blumira Inc., the new attack vector relies on a Javascript WebSocket connection to trigger a remote code execution on internal and locally exposed unpatched Log4j applications.
SOFTWARE
helpnetsecurity.com

The Log4j saga: New vulnerabilities and attack vectors discovered

The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell (CVE-2021-44228) was fixed by releasing Log4j v2.15.0. There’s CVE-2021-45046, a DoS/RCE flaw that was fixed in v2.16.0, then CVE-2021-45105, a DoS hole plugged in v2.17.0. Oh, and there’s CVE-2021-4104, a RCE vulnerability...
SOFTWARE

