source: https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d
Two years on and multiple “the sky is falling” headlines later, Veracode reported last week that more than a third (38%) of all in-use applications are still using vulnerable versions of #Log4j.
#software #fail #bug #security #NorthKorea #attack #problem #news #cybersecurity #update #economy
Source: https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change
What we found illustrates how unaddressed #security technical debt exposes organizations to numerous risks.
...
Overall, we found that more than 1 in 3 (38 percent) of applications currently use vulnerable versions of Log4j.
#vulnerability #problem #software #development #news #economy #capitalism #fail #exploit
"Der Fehler des ersten Hotpatches liegt Sicherheitsforschern zufolge darin, dass er jeden Prozess, der eine Binärdatei mit "java" im Namen hat, patcht – das geschehe mit erhöhten Rechten. So könnte Schadcode mit "java" im Namen etwa aus Containern ausbrechen."
:facepalm
Hace unos meses, la vulnerabilidad Log4Shell, que afectaba a la librería open source Apache Log4j (y con ella, a casi todas las grandes plataformas web), causó una oleada de preocupación en la industria tecnológica y llegó a provocar una reunión en la Casa Blanca que tomar medidas con respecto al modo en que se estaban planteando el mantenimiento de software crítico para la infraestructura de Internet.
Ahora, una nueva vulnerabilidad 'zero day', conocida como 'Spring4Shell', acaba de salir a la luz, y algunos expertos afirman que podría tener "un impacto mayor" que el que tuvo Log4Shell en su momento. Bueno, técnicamente se trata de dos vulnerabilidades: 'Spring4Shell' propiamente dicha, también conocida como CVE-2022-22965, y una vulnerabilidad menor llamada CVE-2022-22963.
Spring4Shell afecta a las aplicaciones desarrolladas con el framework Spring, creado con el fin de agilizar la creación de software con Java. Como en el caso de Log4Shell, su existencia se hizo pública tras ser descubierta la vulnerabilidad por un investigador de ciberseguridad chino que difundió un exploit de prueba en varios tuits ya eliminados.
https://www.genbeta.com/desarrollo/log4shell-fue-grave-algunos-expertos-creen-que-nueva-vulnerabilidad-spring4shell-podria-ser-peor
#Ñ #seguridad
The #Apache #Log4j team talks about the #Log4Shell patching process - The Record by Recorded Future ⚓ https://therecord.media/the-apache-log4j-team-talks-about-the-log4shell-patching-process/
source: https://www.neta.mk/archive
#developer #software #code #nerd #geek #programmer #humor #joke #meme #memes #lol #fun #funny #project #management #just4fun #satire
Es wurde die Erwartung geäussert, dass über die Feiertage mit größtenteils heruntergefahrenem IT-Support eine großangelegte Angriffswelle via #Log4Shell gestartet werden könnte.
Bin mir noch unklar, ob und wann ich doch mal nach den Systemen schauen soll. Kann nur hoffen, in den 2 Wochen zuvor nichts übersehen zu haben.
'Presstitutes' of #microsoft still trying to suck whatever is left of FUD associated with #Log4j and #Log4Shell even though most people patched that ages ago (more than a week ago)
#Log4Shell enumeration, mitigation and attack detection tool http://www.tuxmachines.org/node/159427#comment-32255
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
- “log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License. log4j has been ported to the C, C++, C#, Perl, Python, Ruby, and Eiffel languages.” (src: tutorialspoint.com)
- easy exploitable security problem in Java library Log4j (run the search)
- worst case scenario: a widely used and publicly accessible (internet communication message handling) software allows loading and running code from a remote site (this is not a feature, this is CyberSec madness, deseriously wtf!?)
- JavaUpdates? some do them some don’t because it could break functionality (vendor will have to update and re-test the program’s functionalities)
- Log4Shell, the widespread Apache Log4j vulnerability
- Microsoft’s threat intelligence teams reported on Saturday that they’ve seen Log4Shell exploited to install Cobalt Strike, a popular tool with cybercriminals that is often seen as a precursor to deploying ransomware.
- (src: venturebeat.com)
- “The vulnerability affects any application that uses Apache Log4j, an open source logging library, and many applications and services written in Java are potentially vulnerable”
- “The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.”
- (src: venturebeat.com)
https://www.tagesschau.de/inland/bsi-schadsoftware-103.html
the once hailed cross-platform language is allowed to do too much, as often mentioned the security implications of #evilness of a JavaScript that allows more than nicely render text is massive, it goes as far as attacking not-so-up-to-date devices within the user’s network, simply by visiting a (hacked? or just hosted with great content but evil intentions) website.
https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
https://www.rumble.run/blog/finding-log4j/
“The breach reportedly targeted a security flaw in a widely used utility known as Log4j, a fault that was first observed by cyber experts earlier this month, stoking fears that hackers could use the vulnerability to compromise millions of devices. While many attackers have exploited the flaw to install cryptocurrency mining software on computers without the owners’ knowledge, others have taken aim at businesses and even government agencies, according to Check Point, an Israel-based cyber security firm.
Companies and officials in Belgium and beyond have raced to patch up the vulnerability, with Google reportedly tasking 500 engineers to ensure its code is airtight, while the US Cybersecurity and Infrastructure Security Agency issued an emergency directive last week urging other federal agencies to fix the flaw.”
https://www.rt.com/news/543825-belgium-military-cyber-attack/
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Impacted productsRemediationRemediation statusUser ActionTeamViewer IoTServer-side hot fixdonenot requiredTeamViewer EngageServer-side hot fixdonenot requiredTeamViewer FrontlineServer-side hot fixdonenot required*(2021-12-20) Update on* CVE-2021-45105:
In the night between the 17th and 18th of December a third vulnerability in the log4J library (tracked as CVE-2021-45105) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a DoS attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.
(2021-12-15) Update on CVE-2021-45046:
After it was found that the third-party provided fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete, we have deployed an additional server-side hotfix to address the new CVE-2021-45046. User action is not required. We will continue to monitor the situation closely.
(2021-12-13) Statement on CVE-2021-44228:
The third-party Java library Log4J2, which is widely used in the software industry, is subject to a critical vulnerability tracked as CVE-2021-44228. For our potentially impacted services including TeamViewer IoT, TeamViewer Engage, and TeamViewer Frontline, we have deployed an immediate server-side hotfix. User action is not required.
Other TeamViewer products are not impacted. Furthermore, we have diligently investigated our IT infrastructure and taken appropriate steps to mitigate any supply chain risks. TeamViewer will continue to monitor the situation closely.
#linux #gnu #gnulinux #opensource #administration #sysops #java #cyber #itsec #log4j #cybersec #javascript #Log4Shell
Originally posted at: https://dwaves.de/2021/12/13/cyberinsecurity-ah-oh-its-java-time-log4j-called-log4shell-dynamically-remote-loading-code-or-any-other-resources-is-always-a-bad-cybersec-idea/
'Checkt auch die HyperVisor!', sagen sie.
HyperVisor? WTF! Was bitte soll #log4j auf einem HyperVisor? Und wie sollte ein Angreifer da hin kommen? Dann hat man doch eh schon verloren...
Nun ja, eine Option wurde mir heute praxisnah demonstriert. Wahrscheinlich für das Ziehen eines Images gab es da ein internes #NFS - Share, welches offenbar vergessen wurde zu schliessen. Und irgendwo tief in dem Tree lagen tatsächlich auch noch ranzige log4j*.jar aus einem artfremden Backup von 1728 rum.
#Oops
Nun gut, ist natürlich schon ein separiertes Netz und da sollte kein Angreifer hinkommen und vor allem nicht raus, aber das allein dürfte mich die letzten Haare gekostet haben.
Ähm - #Log4Shell via #Javascript #WebSocket auf dem #Client - hätte ich das besser erst morgen früh lesen sollen? Bin mir noch nicht sicher ob des tatsächlichen Potentials.
Geht das wirlich?!?
#Log4Shell : A new fix, details of active attacks, and risk mitigation recommendations http://www.tuxmachines.org/node/158990?page=1#comment-32208
Öhm - und warum ist auf meinem #Fedora - Client #log4j installiert? Auf dem Client?
[root@j12 ~]# dnf upgrade | grep log4j
log4j noarch 2.16.0-1.fc35 updates 1.8 M
Wie krieg ich denn jetzt raus, wozu das gehört?
#log4shell #security
Nach 7 Tagen #log4shell fang ich dann jetzt auch mal zuhause an:
[root@j8 tmp]# unzip -l /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar | grep 'JndiLookup.class'
2892 08-06-2019 18:45 org/apache/logging/log4j/core/lookup/JndiLookup.class
[root@j8 tmp]# systemctl disable --now openhab2.service
Zum Glück steht mein #openHAB in einem abgeschotteten Subnetz, wo er nur äusserst restriktiv zugänglich ist.
Why patch log4j when natural remedies are readily available? Look no further!
#log4shell #log4j #faille #java
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#who-affected
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
