CyberInSecurity - Ah Oh it's Java time
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
“log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License.
log4j has been ported to the C, C++, C#, Perl, Python, Ruby, and Eiffel languages.” (src: tutorialspoint.com)
- easy exploitable security problem in Java library Log4j (run the search)
- worst case scenario: a widely used and publicly accessible (internet communication message handling) software, for which no easy update mechanism exists (updates to Java Framework are possibly, but not automated because upgrades may break functionality)
- Log4Shell, the widespread Apache Log4j vulnerability
- Microsoft’s threat intelligence teams reported on Saturday that they’ve seen Log4Shell exploited to install Cobalt Strike, a popular tool with cybercriminals that is often seen as a precursor to deploying ransomware.
- (src: venturebeat.com)
- “The vulnerability affects any application that uses Apache Log4j, an open source logging library, and many applications and services written in Java are potentially vulnerable”
- “The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.”
- (src: venturebeat.com)
https://www.tagesschau.de/inland/bsi-schadsoftware-103.html
#linux #gnu #gnulinux #opensource #administration #sysops #java #cyber #itsec #log4j #cybersec
Originally posted at: https://dwaves.de/2021/12/13/cyberinsecurity-ah-oh-its-java-time/