Posted on 12/16/2021 5:02:43 AM PST by rarestia
Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a second bug disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.
The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.
"This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0," Cloudflare's Andre Bluehs and Gabriel Gabor said.
Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances." Additional technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0.
The latest development comes as advanced persistent threat groups from China, Iran, North Korea, and Turkey, counting the likes of Hafnium and Phosphorus, have jumped into the fray to operationalize the vulnerability and discover and continue exploiting as many susceptible systems as possible for follow-on attacks. Over 1.8 million attempts to exploit the Log4j vulnerability have been recorded so far.
Microsoft Threat Intelligence Center (MSTIC) said it also observed access brokers leveraging the Log4Shell flaw to gain initial access to target networks that were then sold to other ransomware affiliates. In addition, dozens of malware families that run the gamut from cryptocurrency coin miners and remote access trojans to botnets and web shells have been identified taking advantage of this shortcoming to date.
While it's common for threat actors to make efforts to exploit newly disclosed vulnerabilities before they're remediated, the Log4j flaw underscores the risks arising from software supply chains when a key piece of software is used within a broad range of products across several vendors and deployed by their customers around the world.
"This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more," industrial cybersecurity firm Dragos noted.
"As network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks," the company added.
It’s not a flaw, it’s a feature.
It’s interesting to me how many deep flaws have been found in longstanding products such as Apache and Exchange. Makes me wonder if they were always there and being used gratuitously, such as by the feds, or if they’re the result of bugs generated from patching of other flaws.
.
Brought to you by Bill Gates and Company.
LMFAO. Nice try. Your mind block is showing.
Apache isn't (and never has been) a Microsoft product.
. . .and Java, where this particular flaw is centered, comes from Java, which is Oracle code...
Not Microsoft. We will see this happening a lot in coming days and months. Top priority for the future of the IoT, digital currency and Ai.
Just more proof that all this attention to cyber security is by people that are terribly unqualified to do so. This should have been fixed years ago.
bttt
We found Log4j on one of our boxes. We took the “Lets rename it and see if anything breaks” approach.
So far nothing broke...
“...widely used Log4j logging utility....”
Is this what is driving up the price of lumber?
The code is now so complex and convoluted that I doubt few individuals and organisations can keep up with it.
Nor why any sane person would want to.
[remember: to relieve the latency spike pressures on your garbage collector, your Log4j steady state logging should be configured to run garbage-free!]
FRegards
I thought the Open Source movement was supposed to allow coders to create one invincible OS, but evidently egos have gotten in the way and generated hundreds of vanity projects with more fatal flaws waiting to be discovered.
The problem is that bugs like this are not much fun to find and fix. It doesn’t look good on a resume. What is fun is using some new, buggy package to implement new gewgaws of dubious value. Anything to increase the attack surface and facilitate moving the IT department to the other side of the world. I’ll probably be OK.
“egos have gotten in the way and generated hundreds of vanity projects with more fatal flaws waiting to be discovered.”
Stroking egos is cheaper than paying people. If you don’t pay people for their time, then you can’t order them drop their little side project and look for bugs.
I think one of the fundamental problems we have is that people are conditioned to not want to pay for software or anything. If everyone on Facebook would just give them the $25/year they make off them, they could demand that facebook not mine their information and sell it. They would be the customer and not the product.
I applied the first Log4jShell patch to 2.15.0 over the weekend. It barely passed the first build cycle when another CVE came out regarding JNDI and 2.16.0 needed to be applied. So much "churn" in the build environment for little value added to the customer...aside from keeping the criminals out of their systems.
Log4j Vulnerability Tester
https://log4j-tester.trendmicro.com/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.