Posted on 12/12/2021 6:20:07 PM PST by BenLurkin
The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to configure their applications.
Apple's cloud computing service, security firm Cloudflare and one of the world's most popular video games, Minecraft, are among the organizations that run Log4j, according to security researchers.
The vulnerability can offer a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network.
Security experts say that the fallout from the software flaw could continue for days and weeks as organizations race to address the issue.
The situation escalated before the weekend when a tool for exploiting the vulnerability was made public on GitHub, a software repository. That gave malicious hackers a potential roadmap for how to use the vulnerability to break into devices.
Easterly said her agency would hold a call with critical infrastructure firms across the country on Monday to brief them on the situation.
(Excerpt) Read more at cnn.com ...
Yup - woke up to find out our Bangalore team devops had spent their Sunday working to identify components using log4j and update to 2.15.0.
This even affects Ingenuity, the Mars helicopter.
Its fairly simple to update the log4j library to the latest version and I bet a lot of IT people are spending their weekend doing just that.
The vulnerablity is related to the log4j JndiLookup class that is responsible for string substitutions in the log message. I suspect the hackers can load a bogus hacked file to the server and then replace the intended string substitution with malware code of their choosing from the hacked file.
Disabling the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true will block this vulnerability until the new library can be installed.
Methinks this vulnerability as seen in the wild is due to vulnerable Active Directory installations when the CVE is updated and scored.
Not that there isn’t an IT/Sec/Sysadmin anywhere that isn’t already aware of this, but what the heck, *ping* anyway....
Heh, we have a lot of software made with that.
Glad I’m not coding. Too many people do not revisit their code and can’t do an upgrade, easily. Heck, even identifying all the software in production using it will take weeks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.