Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

ronjor · Dec 10, 2021

Original release date: December 10, 2021

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
Click to expand...

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
Click to expand...

hawki · Dec 10, 2021

ronjor said: ↑

Original release date: December 10, 2021
Click to expand...

"Global race to patch critical computer bug in open source software used by Apache servers

Security experts around the world raced Friday to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.

'I’d be hard-pressed to think of a company that’s not at risk,' said Joe Sullivan, chief security officer for Cloudflare...

The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10...Anyone who wants to exploit it can get full access to an unpatched machine...

'The internet’s on fire right now. People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it,' said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike . 'In the last 12 hours it has been fully weaponized.'..."

https://www.marketwatch.com/story/g...-apache-servers-01639166970?mod=mw_latestnews

longshots · Dec 11, 2021

It took two weeks to develop and release a fix.
But patching systems around the world could be a complicated task.
While most organisations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

https://www.abc.net.au/news/2021-12-11/log4shell-techs-race-to-fix-software-flaw/100692876

reasonablePrivacy · Dec 11, 2021

hawki said: ↑

"Global race to patch critical computer bug in open source software used by Apache servers
Click to expand...

It might be misleading. Yes, Apache Log4j 2 is under the umbrella of The Apache Software Foundation. Yet it has nothing to do with Apache HTTP Server.

reasonablePrivacy · Dec 11, 2021

https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted:

Apache Struts

Apache Solr

Apache Druid

Apache Flink

ElasticSearch

Flume

Apache Dubbo

Logstash

Kafka

Spring-Boot-starter-log4j2

Click to expand...

https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2.
Click to expand...

Minimalist · Dec 13, 2021

Hackers start pushing malware in worldwide Log4Shell attacks

Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers. In this article we have compiled the known payloads, scans, and attacks using the Log4j vulnerability.
Click to expand...

https://www.bleepingcomputer.com/ne...shing-malware-in-worldwide-log4shell-attacks/

ronjor · Dec 13, 2021

CISA warns 'most serious' Log4j vulnerability likely to affect hundreds of millions of devices

Written by Tim Starks
Dec 13, 2021 | CYBERSCOOP
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career, if not the most serious.”
Click to expand...

ronjor · Dec 13, 2021

CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228

Original release date: December 13, 2021
CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1.
Click to expand...

Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system
Click to expand...

.

In response, CISA has created a webpage, Apache Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the webpage and the GitHub repository.
Click to expand...

CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available.
Click to expand...

IvoShoen · Dec 13, 2021

https://edition.cnn.com/2021/12/11/politics/dhs-log4j-software-flaw-warning/

Minimalist · Dec 15, 2021

Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16

Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet.

However, that release only partially closed the hole (CVE-2021-44228) by disabling by default one aspect of the Java library's exploitable functionality – JNDI message lookups. Now version 2.16 is out, and it disables all of JNDI support by default, and removes message lookup handling entirely for good measure, hopefully finally preventing further exploitation.
Click to expand...

https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/

Minimalist · Dec 17, 2021

Brand-New Log4Shell Attack Vector Threatens Local Hosts

Defenders will once again be busy beavers this weekend: There’s an alternative attack vector for the ubiquitous Log4j vulnerability, which relies on a basic Javascript WebSocket connection to trigger remote code-execution (RCE) on servers locally, via drive-by compromise.

In other words, an exploit can affect services running as localhost in internal systems that are not exposed to any network.

That’s according to researchers at Blumira, who noted that the discovery eviscerates the notion that Log4Shell attacks are limited to exposed vulnerable web servers.
Click to expand...

https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/

Minimalist · Dec 18, 2021

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

All set for the weekend? Not so fast. Yesterday, BleepingComputer summed up all the log4j and logback CVEs known thus far.

Ever since the critical log4j zero-day saga started last week, security experts have time and time again recommended version 2.16 as the safest release to be on.

That changes today with version 2.17.0 out that fixes a seemingly-minor, but 'High' severity Denial of Service (DoS) vulnerability that affects log4j 2.16.

And, yes, this DoS bug comes with yet another identifier: CVE-2021-45105.
Click to expand...

https://www.bleepingcomputer.com/ne...o-log4j-216-surprise-theres-a-217-fixing-dos/

guest · Dec 20, 2021

Apache Log4j allows insecure JNDI lookups
December 15, 2021 (Updated: December 20, 2021)

Overview
Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.
CISA has published Apache Log4j Vulnerability Guidance and provides a Software List.
Description
The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.

More information is available from the Apache Log4j Security Vulnerabilities page, including these highlights: [...]
Click to expand...

Impact
A remote, unauthenticated attacker with the ability to log specially crafted messages can cause Log4j to connect to a service controlled by the attacker to download and execute arbitrary code.
Click to expand...

JRViejo · Dec 21, 2021

As companies scramble to determine whether they're vulnerable to the Log4j2 flaw, SMBs may not have the resources to do so themselves. Here's what you can do.
Click to expand...

What’s all the fuss with Log4j2? by Susan Bradley

guest · Dec 22, 2021

Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
Alert (AA21-356A)
December 22, 2021

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.
Click to expand...

This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.
These steps include:

Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,

Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and

Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.

This CSA also provides guidance for affected organizations with operational technology (OT)/industrial control systems (ICS) assets.
Click to expand...

guest · Dec 22, 2021

CISA releases Apache Log4j scanner to find vulnerable apps
December 22, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

"log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities," the cybersecurity agency explains.
This scanning solution builds upon similar tools, including an automated scanning framework for the CVE-2021-44228 bug (dubbed& Log4Shell)& developed by cybersecurity company FullHunt.
Click to expand...

The tool enables security teams to scan network hosts for Log4j RCE exposure and spot web application firewall (WAF) bypasses that can allow threat actors to gain code execution within the organization's environment.
Click to expand...

guest · Dec 22, 2021

NVIDIA discloses applications impacted by Log4j vulnerability
December 22, 2021

NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide.
Click to expand...

Log4Shell impact
While NVIDIA consumer applications are unaffected, some NVIDIA enterprise applications include Apache Log4j and need to be updated:

Nsight Eclipse Edition versions below 11.0 are vulnerable to CVE-2021-33228 and CVE-2021-45046 and are fixed in version 11.0 or later.

NetQ is vulnerable to CVE-2021-33228, CVE-2021-45046, and CVE-2021-45105 on versions 2.x, 3.x, and 4.0.x. As such, users are advised to upgrade to NetQ 4.1.0 or later.

vGPU Software License Server is impacted by CVE-2021-33228 and CVE-2021-45046 on versions 2021.07 and 2020.05 Update 1. The recommended practice in these cases is to follow this mitigation guide.

Click to expand...

NVIDIA also warns that CUDA Toolkit Visual Profiler includes Log4j files but that the application is not using them. An updated version is being released in January 2022 to remove these files.

"Log4j is included in CUDA Toolkit. However, it is not being used, and there is no risk to users who have the Log4j files," explains NVIDIA's security notice.
Click to expand...

NVIDIA: Security Notice: NVIDIA Response to Log4j Vulnerabilities - December 2021

This notice is a response to the remote code execution vulnerabilities in the Log4j Java library, which is also known as Log4Shell.
Click to expand...

guest · Dec 22, 2021

Belgian Ministry of Defense affected by Log4j?
December 21, 2021

The vulnerability CVE-2021-44228 in the JAVA library log4j is drawing wider circles. The Belgian Ministry of Defense may have shut down its networks after a serious cyberattack, admitting as much in the night from Sunday to Monday. Reports suggests that it was related to the log4j vulnerability CVE-2021-44228.

I had reported in the blog post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk about the vulnerability that affects numerous systems. And it was known that the German Federal Finance Court was among the victims who had to take their website offline (see Log4j news: New vulnerability, Federal Finance Court website down, many companies unpatched).
Click to expand...

Belgian Ministry of Defense shuts down network
I became aware of the facts via the following tweet by Catalin Cimpanu. The Belgian Ministry of Defense has taken parts of its IT network offline because of a cyber attack. The email servers are also affected.

The cyberattack occurred, according to the linked article, after a security vulnerability (log4j) was discovered in the software just last week.
However, the Ministry of Defense currently refuses to provide any information on whether the attack took place via the log4j vulnerability using a Log4Shell.
Click to expand...

guest · Dec 22, 2021

Bug bounty platforms handling thousands of Log4j vulnerability reports
Leading platforms report back from the front line as vendors grapple with landmark bug
December 22, 2021

Bug bounty hunters have already submitted thousands of vulnerability reports related to the Apache Log4j bug that continues to send shockwaves through the global software ecosystem.

Submitted via a bug bounty program itself, the critical, CVSS 10-rated flaw in Log4j, an open source Java logging library, allows cybercriminals to launch remote code execution (RCE) attacks against an arguably unparalleled number of potential targets.
Click to expand...

Less than two weeks since the bug was publicly disclosed, more than 500 hackers have submitted close to 1,700 reports to over 400 programs on HackerOne alone, a company representative told The Daily Swig.
Fellow US-headquartered platform Bugcrowd says it too has validated and triaged thousands of Log4j-related submissions since the crisis erupted.

Elsewhere, Paris-based bug bounty platform YesWeHack said it received 140 reports during the first week following Log4Shell’s disclosure on December 9.
Click to expand...

Over the weekend that followed the disclosure, fellow European platform Intigriti said it evaluated 80 such reports.

“Increased automatization and reconnaissance tooling allow for prompt detection and quick coverage of wide attack surfaces, faster than most of our customers could take action,” Inti De Ceukelaire, head of hackers at Intigriti, tells The Daily Swig.
Click to expand...

guest · Dec 23, 2021

Beijing punishes Alibaba for not reporting Log4j loophole fast enough
December 22, 2021

An Alibaba engineer found the world-threatening software vulnerability related to Log4j, but instead of getting rewarded, the company was disciplined by the Chinese regulator for not telling authorities soon enough. China’s Ministry of Industry and Information Technology decided to suspend a cybersecurity partnership with Alibaba Cloud for six months, the Chinese publication 21st Century Business Herald reported Wednesday.

According to Bloomberg, an Alibaba cloud security engineer named Chen Zhaojun was the first person to find and report a significant flaw in the open-source software tool Log4j that’s widely used by companies worldwide.
But MIIT, China’s top tech regulator, only became aware of the flaw 15 days later on Dec. 9 through a cybersecurity report, likely not submitted by Alibaba.
Click to expand...

guest · Dec 28, 2021

Log4j 2.17.1 out now, fixes new remote code execution bug
December 28, 2021

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.

Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.
Click to expand...

But now a fifth vulnerability—an RCE flaw, tracked as CVE-2021-44832 has been discovered in 2.17.0, with a patch applied to the newest release 2.17.1 which is out.

Rated 'Moderate' in severity and assigned a 6.6 score on the CVSS scale, the vulnerability stems from the lack of additional controls on JDNI access in log4j.

"JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property," states the issue description seen by BleepingComputer.
Click to expand...

Checkmarx security researcher Yaniv Nizry claimed credit for reporting the vulnerability to Apache:

Stay tuned for a blogpost ;) pic.twitter.com/D56WpVsuF3
— Yaniv Nizry (@YNizry) December 28, 2021
Click to expand...

guest · Jan 5, 2022

Microsoft Sees Rampant Log4j Exploit Attempts, Testing
January 4, 2022

No surprise here: The holidays bought no Log4Shell relief.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.
Click to expand...

Microsoft has observed many attacks in which the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems. The crafted string that enables Log4Shell exploitation contains “jndi,” following by the protocol – such as “ldap,” “ldaps” “rmi,” “dns,” “iiop,” or “http” – and then the attacker domain.
Click to expand...

guest · Jan 5, 2022

FTC warns companies to secure consumer data from Log4J attacks
January 4, 2022

The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks.

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said.
"It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
Click to expand...

The FTC advises companies to follow CISA's guidance on mitigating the Log4j flaws and:

Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)

Consult CISA guidance to mitigate this vulnerability.

Ensure remedial steps are taken to ensure that your company's practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.

Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

Click to expand...

FTC: FTC warns companies to remediate Log4j security vulnerability

guest · Jan 5, 2022

ICS Vendors Respond to Log4j Vulnerabilities
January 5, 2022

SecurityWeek has compiled a list of the advisories published by industrial control system (ICS) and other industrial-related vendors in response to the recent Log4j vulnerabilities.
Major companies that provide industrial services and solutions have released advisories to inform customers about the impact of the Log4j vulnerabilities. This article presents the information that is currently available from vendors, but their advisories may be updated with additional impacted products or versions.
Click to expand...

guest · Jan 7, 2022

NHS warns of hackers exploiting Log4Shell in VMware Horizon
January 7, 2022

UK's National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.

Log4Shell is an exploit for CVE-2021-44228, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and high-volume exploitation since December 2021.
Click to expand...

Targeting Apache Tomcat in VMware Horizon
According to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.

"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure," explains the alert.
Click to expand...

Log in or Sign up

Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

ronjor Global Moderator

hawki Registered Member

longshots Registered Member

reasonablePrivacy Registered Member

reasonablePrivacy Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

IvoShoen Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

ronjor Global Moderator

hawki Registered Member

longshots Registered Member

reasonablePrivacy Registered Member

reasonablePrivacy Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

IvoShoen Registered Member

Minimalist Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

JRViejo Super Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches