CM – Critical Apache Log4j 2 error under attack, mitigate now

0

A recently discovered vulnerability in Log4j 2 is reportedly being exploited in the wild, putting widespread applications and cloud services at risk.

Log4j 2 is a popular Java logging framework developed by the Apache Software Foundation would. Vulnerability CVE-2021-44228 allows remote code execution for users with certain default configurations in earlier versions of Log4j 2. Beginning with Log4j 2.0.15 (released December 6th), the vulnerable configurations have been disabled by default.

CVE-2021-44228 applies as a critical bug and has a CVSS base score of 10 – the highest possible severity rating.

Apache described the bug attributed to Chen Zhaojun of the Alibaba Cloud Security Team on its Log4j2 vulnerability page as follows:

« Apache Log4j2 <= 2.14.1 JNDI functions used in configuration, protocol messages and parameters do not protect against attackers-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI [Java Naming and Directory Interface] -related endpoints, "it says in the description . "An attacker who could control log messages or log message parameters could execute arbitrary code that is loaded by LDAP servers if message search substitution is enabled. As of log4j 2.15.0, this behavior is disabled by default."

The vulnerability first became public knowledge when a security researcher posted a proof-of-concept exploit of the then-unknown bug on Twitter on Thursday morning. Since then, the bug has been assigned a CVE and is already being used in attacks, according to reports from the New Zealand Computer Emergency Response Team (CERT), Cloudflare and others.

In addition, the Cybersecurity and Infrastructure Security Agency (CISA) had a advisory on Friday released, urging users and administrators to take appropriate countermeasures.

Several security vendors and threat researchers have found that Log4j 2 is used in many major cloud services, applications, and PC games, including Apple iCloud, Minecraft, and Cloudflare. Minecraft posted a notice on Friday saying the company had fixed the Log4j 2 vulnerability, but urged gamers and Minecraft server hosts to take additional steps to protect themselves.

Read up on three key security challenges to multi-tenancy and how to address them including a lack of visibility, permissions assignment …

If your company uses a cloud database provider, it is important to keep track of security. Check out the security features …

The cloud-native Application Protection Platform (CNAPP) is the latest in a series of acronyms for cloud security. Find out what it is …

CIO Brad Peterson said Nasdaq’s experience with AWS over the past twelve years has shown that the cloud is ready to meet the …

Given the global chip scarcity lead times for switches, routers, firewalls and access points have increased. These seven …

Digital twin technology is a hot topic in IoT systems, but IT teams can also invest in digital twins to …

Amazon’s business practices are not only going to be put to the test in the USA, but around the world. Amazon was hit with a record …

Marketing and information technology are both critical to a company’s success. Here’s some important advice, like everyone …

President’s Special Assistant Tim Wu highlighted Merger Review as a priority area for the DOJ and the FTC as the authorities …

can provide Windows updates for IT Administrators can lead to unexpected problems, but there are some simple steps they should always take to …

Microsoft offers a variety of troubleshooters to fix common Windows 10 problems and once you find the right one for your Have found problem …

Monthly subscribers to Microsoft 365, Dynamics 365 and Windows 365 have to pay a premium or switch to an annual price …

Centralized logging – especially in hybrid and multi- Cloud Environments – can improve an IT team’s monitoring strategy and …

AWS has announced the general availability of a major version of its cloud development kit and Construct Hub. One user …

Discover the pros and cons of migrating applications with AWS SaaS Boost. Find out how the Boost framework supports the migration …

Research by Inmarsat Enterprise in November 2021 found that up to 84% of companies have given up accelerated IoT deployment or …

Still A few years ago, one might think that endpoint security was a relatively simple matter, even if it …

Backup is fundamental to IT, but things have changed a lot lately. The pandemic has a major impact on this. In this e-guide …

All rights reserved,
Copyright 2000-2021, TechTarget
Privacy Policy

Cookie settings

Don’t sell my personal information

Keywords:

Vulnerability,Log4j,Computer security,Zero-day,Minecraft,Java,Exploit,Vulnerability, Log4j, Computer security, Zero-day, Minecraft, Java, Exploit,,,,,,,,,,,,

Donnez votre avis et abonnez-vous pour plus d’infos

[gs-fb-comments]

[comment]

[supsystic-newsletter-form id=4]

Vidéo du jour: