Last Updated on 13/12/2021 by Sanskriti
13th December 2021
Since the recent discovery of the Apache Log4j zero-day vulnerability, numerous security teams have been working nonstop. According to experts, the bug might be the most catastrophic security vulnerability to surface in years. CVE-2021-44228 is a vulnerability in the Log4j 2 open source software library. The event-logging component may be found in tens of thousands of apps and cloud-based services.
Because of its widespread nature, the bug’s security threat is “about as dangerous as it gets,” according to Sam Curry, Cybereason’s chief security officer.
According to Charles Carmakal, senior vice president and CTO of incident response provider Mandiant, organizations are now racing to understand the risk and exposure they face. The previous two days, according to Carmakal, have been a “tough weekend.”
“Most organizations don’t know what the scope of the impacted systems actually is because Log4j is embedded in so many different applications and maybe even black-box systems that organizations have in their network,” Carmakal says. “So it’s likely going to take weeks or months for organizations to really get a good handle on all the different applications and systems that use this.”
Due to the ease with which assaults may be launched, Carmakal claims that several businesses have already transitioned to incident response. A single line of code may be used to remotely exploit the issue. Because Java is cross-platform, it may be used to exploit insecure software on Windows and Linux systems.
Analysts are currently working out how many various ways the vulnerability may be exploited because logging components such as Log4j by design consume non-sanitized and untrusted data. Anything that Log4j 2 parses potentially includes an exploit: an email, a user-agent string, and so on.
CTO and founder of BugCrowd, Casey Ellis said, “I’ve seen someone exploiting this using a Wi-Fi SSID.”
He further said, “The idea of this ending up in a self-propagating piece of malware or ransomware or whatever else – that’s to me a question more of when – not if – it will happen.”
The Apache Software Foundation has issued a fix for the vulnerability, which should be applied as soon as feasible. But that’s only part of the issue. Because Log4j 2 can be placed deep in programs that users did not design, many businesses may not even be aware that they are susceptible.
As a result, firms are still trying to figure out the implications of Log4j 2, which may be tough in complicated, legacy setups, according to Ellis. Despite the fact that a patch has been available, implementing it may be difficult.
Read the full article of security-experts-uneasy-about-internets-latest-bad-bug-a-18107