Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack | Threatpost

The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a “Mini internet meltdown soonish.”

An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover — and it’s being exploited in the wild.

The flaw first turned up on sites that cater to users of the world’s favorite game, Minecraft, on Thursday. The sites reportedly warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.

Apache Log4j Security Vulnerabilities

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

“The [Internet’s] on fire” as techs race to fix critical software flaw

But patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

‘The [Internet]’s on fire’ as techs race to fix software flaw

“The [Internet]’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch, and there are script kiddies and all kinds of people scrambling to exploit it.” He said Friday morning that in the 12 hours since the bug’s existence was disclosed, that it had been “fully weaponized,” meaning that malefactors have developed and distributed tools to exploit.

‘Extremely bad’ vulnerability found in widely used logging system

The vulnerability is found in log4j, an open-source logging library used by apps and services across the [Internet]. Logging is a process where applications keep a running list of activities they have performed which can later be reviewed in case of error. Nearly every network security system runs some kind of logging process, which gives popular libraries like log4j an enormous reach.

Officials, experts sound the alarm about critical cyber vulnerability

The vulnerability in an Apache logging framework, known as “Log4j,” that could allow [crackers] to obtain access to targeted systems remotely sent experts running to update systems. Apache put out a security advisory warning of the threat and recommending steps to help organizations protect themselves.

to secure the supply chain, you must properly fund it

Yesterday, a new 0day vulnerability dropped in Apache Log4j. It turned out to be worse than the initial analysis: because of recursive nesting of substitutions, it is possible to execute remote code in any program which passes user data to Log4j for logging. Needless to say, the way this disclosure was handled was a disaster, as it was quickly discovered that many popular services were using Log4j, but how did we get here?

Like many projects, Log4j is only maintained by volunteers, and because of this, coordination of security response is naturally more difficult: a coordinated embargo is easy to coordinate, if you have a dedicated maintainer to do it. In the absence of a dedicated maintainer, you have chaos: as soon as a commit lands in git to fix a bug, the race is on: security maintainers are scurrying to reverse engineer what the bug you fixed was, which is why vulnerability embargoes can be helpful.

Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely-used logging utility

An unauthenticated remote code execution vulnerability in Apache's Log4j Java-based logging tool is being actively exploited, researchers have warned after it was used to execute code on Minecraft servers.

Infosec firm Randori summarised the vuln in a blog post, saying: "Effectively, any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation."

Crafted proof-of-concept code snippets are already doing the rounds.

Global race to patch critical computer bug

Global tech experts race to fix ‘fully weaponised’ software flaw

A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.

Serious bug puts Apple iCloud, Twitter, Minecraft at hacking threat

Several popular services, including Apple iCloud, Amazon, Twitter, Cloudflare and Minecraft, are vulnerable to a 'ubiquitous' zero-day exploit, cybersecurity researchers have warned, leaving IT security teams at several companies scrambling to patch the vulnerability called 'Log4Shell'.

Apple iCloud, Twitter and Minecraft vulnerable to ‘ubiquitous’ zero-day exploit – TechCrunch

A number of popular services, including Apple iCloud, Twitter, Cloudflare, Minecraft and Steam, are reportedly vulnerable to a zero-day exploit affecting a popular Java logging library. The vulnerability, dubbed “Log4Shell” by researchers at LunaSec and credited to Chen Zhaojun of Alibaba, has been found in Apache Log4j, an open source logging utility that’s used in […]

Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit

A critical vulnerability has been discovered in Apache Log4j 2, an open-source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers.

The Apache Software Foundation (ASF) has identified the vulnerability as CVE-2021-44228; LunaSec has dubbed it Log4Shell. (And security researcher Kevin Beaumont was kind enough to create a logo for it, too.) ASF says Log4Shell receives the maximum severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale.

SUSE Statement on log4j / log4shell / CVE-2021-44228 / Vulnerability

On Friday December 10 morning a new exploit in “log4j” Java logging framework was reported, that can be trivially exploited. This vulnerability is caused by a new feature introduced in log4j 2.x versions where a specific string embedded in messages logged by log4j would be interpreted by log4j to connect to remote sites and even execute code directly.

Critical RCE 0day in Apache Log4j library exploited in the wild (CVE-2021-44228)

A critical zero-day vulnerability in Apache Log4j (CVE-2021-44228), a widely used Java logging library, is being leveraged by attackers in the wild – for now, fortunately, primarily to deliver coin miners.

Reported to the Apache Software Foundation by Chen Zhaojun of Alibaba Cloud Security Team, the bug has now apparently been fixed in Log4j v2.15.0, just as a PoC has popped up on GitHub and there are reports that attackers are already attempting to compromise vulnerable applications/servers.

The Log4j mess

For those who have not yet seen it, this advisory from Apache describes a nasty vulnerability in the widely used Log4j package.

Josh Bressers: log4j is hard to find and harder to fix

If you pay attention to tech news, you know what’s going on with log4j right now. It’s being called Log4Shell which is a great name. I’ll spare you repeating the details of the issue, there are many many stories about it at this point.

What I’ve not seen is a good explanation about why knowing if you are using log4j is hard, and fixing it will be even harder than finding it.

Hunting for log4j

If you have a java project, the very first thing you probably did was check to see if you are pulling in log4j as a dependency. The weird thing about Java projects is even if you aren’t using log4j, it could be in you project.

Logging library flaw opens software from different vendors to RCE

The flaw, an unauthenticated remote code exploit, allows the complete takeover of systems using versions 2.0-beta9 up to 2.14.1 of the library.

Developed by the Apache Software Foundation, Log4j is used in software that does not use Java as well and products from Apple, Amazon, Cloudflare, Twitter and Steam are all susceptible.

Global race to patch critical computer bug

Security experts around the world raced on December 10 to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.

Log4Shell explained – how it works, why you need to know, and how to fix it – Naked Security

In this article, we explain the Apache Log4Shell vulnerability in plain English, and give you some simple educational code that you can use safely and easily at home (or even directly on your own servers) in order to learn more.

Just to be clear up front: we’re not going to show you how to build a working exploit, or how set up the services you need in the cloud to deliver active payloads.

No Java, No Cry - IPFire is NOT vulnerable to CVE-2021-44228

As you might have already heard in the media, a quite severe security problem in Apache log4j is ripping its way through the world - filed as CVE-2021-44228.

IPFire itself, nor our infrastructure, is or was at any time vulnerable to this problem since we are not using any Java software in either of them.

CyberInSecurity – Ah Oh it’s Java time

Log4Shell Exploitation Grows as Cybersecurity Firms Scramble to Contain Threat

Cybercriminals are quickly ramping up efforts to exploit the critical flaw found in the widely used Log4j open-source logging tool, targeting everything from cryptomining to data theft to botnets that target Linux systems.

The cybersecurity community is responding with tools for detecting exploitation of the vulnerability, a remote code execution (RCE) flaw dubbed Log4Shell and tracked as CVE-2021-44228. Efforts include a Log4j emergency patch from the Apache Software Foundation (ASF) and a “vaccine” released by Cybereason as a fix for the issue.

Detect and block Log4j exploitation attempts with CrowdSec - The open-source & collaborative IPS

If you work in Infosec, you had a very lousy weekend. And that’s because of the Log4j zero-day vulnerability (CVE-2021-44228) that was discovered. We had no choice but to roll up our sleeves to help our community before things got messier than they already were.

Hernan Vivani: log4j vulnerability – quick notes

PostgreSQL: PostgreSQL JDBC and the log4j CVE

A CVE has been reported on the popular logging implementation log4j.

As the PostgreSQL JDBC driver does not include this as a dependency we have determined that there is no need for concern. The driver is not vulnerable to this CVE.

CISA Creates Wbpage for Apache Log4j Vulnerability CVE-2021-44228

CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

Worst effects of logging flaw yet to be experienced: security pro

"Without any incentive or motivation, many developers are unable to continue maintaining, updating or reviewing software they've written, which leads to security issues that sometimes cannot be detected early on.

"There's a lot of taking and very little giving which tips the balance severely. It would behoove organisations that utilise open-source software to consider investing the time and resources needed to make them more secure."

Log4Shell vulnerability: What we know so far | WeLiveSecurity

The zero-day flaw in the ubiquitous Log4j utility has sent shockwaves far beyond the security industry – here’s what you should know.

Log4j hole revives chatter on Big Biz funding open source • The Register

The disclosure of a critical security hole in Log4j last week has renewed calls to rethink how open-source software gets developed, paid for, and maintained, not that the long-simmering issue ever really went away.

The Log4j bug, an unauthenticated remote code execution flaw (CVE-2021-44228) in Apache's open-source Log4j Java-based logging library, is particularly serious and far-reaching because exploitation is not difficult and the software is widely used and buried deep within many programs.

Annoyance with the handful of project maintainers for failing to catch the bug prompted one, developer Volkan Yazici, to voice indignation about all the people bashing the maintainers for their unpaid, volunteer labor without offering any financial support or contributed code fixes.

On the Log4j Vulnerability - Schneier on Security

Threat advisory from Cisco. Cloudflare found it in the wild before it was disclosed. CISA is very concerned, saying that hundreds of millions of devices are likely affected.

Log4j Vulnerability Puts the Entire Internet at Risk: What You Need to Know - It's FOSS News

Log4Shell is a Remote Code Execution Class vulnerability denoted as CVE-2021-44228 disclosed as an exploit that affects millions of servers that run Java applications, or particularly the open-source Apache Log4j library.

If you are curious, a wide range of applications/servers and digital systems across the internet use Log4j for logging purposes. Even the back-end systems used by Steam, Minecraft, Cloudflare, and iCloud were found vulnerable.

Why is it one of the most significant vulnerabilities in recent times? Let me tell you more about it.

The Log4j bug exposes a bigger issue: Open-source funding (Updated)

While you were watching the F1 title decider between Max Verstappen and Lewis Hamilton or excited for the Succession finale, companies running the internet were scared shitless.

You might not have noticed it because services like Twitter, Facebook, Gmail, and smaller ones all stayed up. But a bug in an open-source tech called Log4j was (and still is) causing panic amongst the infosec community across the world.

While the bug has affected billions of devices, and companies are scrambling to apply fixes, the open-source community has a raging debate going on about funding volunteers that maintain projects like Log4j.

Log4j Bug Highlights Open Source Funding Issues

A critical bug in a bit of open source tech called Log4j has been causing panic in the infosec community, reports Ivan Mehta. And, while major companies are scrambling to apply fixes, “the open source community has a raging debate going on about funding volunteers that maintain projects like Log4j.”

Many large corporations depend heavily on free and open source software projects such as Log4j, Mehta notes; however, project contributors and maintainers often receive only a small amount of financial support through GitHub or Patreon.

Apache Log4j CVEs

The Apache Software Foundation project Apache Logging Services has responded to a security vulnerability that is described in two CVEs, CVE-2021-44228 and CVE-2021-45046. In this post we’ll list the CVEs affecting Log4j and keep a list of frequently asked questions.

The most recent CVE has been addressed in Apache Log4j 2.16.0, released on 13 December. We recommend that users update to 2.16.0 if possible. While the 2.15.0 release addressed the most severe vulnerability, the fix in Log4j 2.15.0 was incomplete in some non-default configurations and could allow an attacker to execute a denial of service (DoS) attack. Users still on Java 7 should upgrade to the Log4j 2.12.2 release.

Private Internet Access VPN Issues Update to Protect Users Against Apache Log4j/Log4Shell Exploit

Since the threat was disclosed, our engineers have been working around-the-clock to come up with a patch that can not only protect our users from exploits in our system but can also help protect PIA’s VPN users from the Log4j 2 vulnerability altogether.

Mining the Logs | Coder Radio 444

The broader software problem the Log4Shell vulnerability reveals, and the story of how Chris lit his Coder robe on fire... While wearing it.

Nation-State Attackers, Ransomware Groups Take Aim at Apache Log4j Flaw

Nation-state cyber threat groups and ransomware attackers are moving in to exploit a critical flaw found in the seemingly ubiquitous Apache Log4j open-source logging tool, as attacks spread just days after the vulnerability that could affect hundreds of millions of devices was made public late last week.

Microsoft researchers reported that the remote code execution (RCE) vulnerability is being exploited by nation-state groups associated with China, North Korea, Iran and Turkey, with the activity that includes “experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.”

The vulnerability can be abused to enable an attacker to gain control of a targeted system.

Apache Log4j: remote code execution vulnerability

A high impact vulnerability was discovered in Apache Log4j 2, a widely deployed software component used by a lot of Java applications to facilitate logging. An attacker who can control the log messages or their parameters can cause the application to execute arbitrary code. In Ubuntu, Apache Log4j2 is packaged under the apache-log4j2 source package – this has been patched already to address this vulnerability as detailed in USN-5192-1 (Dec 14) and USN-5197-1 (Dec 15).

More Log4j News

Log4j is being exploited by all sorts of attackers, all over the Internet...

Log4J Vulnerability Isn't Going Anywhere Soon - Invidious

While Log4j has now been patched the problem is by no means over and this vulnerability is going to be with us going years into the future until every company patches or replaces their software.

Log4j is patched, but the exploits are just getting started

So far, researchers have observed attackers using the Log4j vulnerability to install ransomware on honeypot servers — machines that are made deliberately vulnerable for the purpose of tracking new threats. One cybersecurity firm reported that nearly half of corporate networks it was monitoring had seen attempts to exploit the vulnerability. The CEO of Cloudflare, a website and network security provider, announced early on that the threat was so bad the company would roll out firewall protection to all customers, including those who had not paid for it. But concrete news on exploitation in the wild remains scarce, likely because victims either don’t know or don’t yet want to acknowledge publicly that their systems have been breached.

Officials point to Apache vulnerability in urging passage of cyber incident reporting bill

Key federal cybersecurity officials are pushing for passage of legislation to create mandates for certain organizations to report cyberattacks amid the fallout from a massive vulnerability in Apache logging package log4j, which has left organizations worldwide vulnerable.

Bipartisan legislation to establish cyber incident reporting standards was set to be included in the compromise version of the National Defense Authorization Act (NDAA), but was removed at the last minute due to concerns from Sen. Rick Scott (R-Fla.) about the scope of the bill. Scott's concerns were addressed, but not in time for the provision to be included in the NDAA.

Open Source Foundations Must Work Together to Prevent the Next Log4Shell Scramble

As someone who has spent their entire career in open source software (OSS), the Log4Shell scramble (an industry-wide four-alarm-fire to address a serious vulnerability in the Apache Log4j package) is a humbling reminder of just how far we still have to go. OSS is now central to the functioning of modern society, as critical as highway bridges, bank payment platforms, and cell phone networks, and it’s time OSS foundations started to act like it.

Organizations like the Apache Software Foundation, the Linux Foundation, the Python Foundation, and many more, provide legal, infrastructural, marketing and other services for their communities of OSS developers. In many cases the security efforts at these organizations are under-resourced and hamstrung in their ability to set standards and requirements that would mitigate the chances of major vulnerabilities, for fear of scaring off new contributors. Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code.

This Week In Security: Log4j, PDF CPU, And I Hacked Starlink | Hackaday

The big news this week is Log4j, breaking just a few hours too late to be included in last week’s column. Folks are already asking if this is the most severe vulnerability ever, and it does look like it’s at least in the running. The bug was first discovered by security professionals at Alibaba, who notified Apache of the flaw on November 24th. Cloudflare has pulled their data, and found evidence of the vulnerability in the wild as early as December 1st. These early examples are very sparse and extremely targeted, enough to make me wonder if this wasn’t researchers who were part of the initial disclosure doing further research on the problem. Regardless, on December 9th, a Twitter user tweeted the details of the vulnerability, and security hell broke loose. Nine minutes after the tweet, Cloudflare saw attempted exploit again, and within eight hours, they were dealing with 20,000 exploit attempts per minute.

That’s the timeline, but what’s going on with the exploit, and why is it so bad? First, the vulnerable package is Log4j, a logging library for Java. It allows processes to get log messages where they need to go, but with a bunch of bells and whistles included. One of those features is support for JNDI, a known security problem in Java. A JNDI request can lead to a deserialization attack, where an incoming data stream is maliciously malformed, misbehaving when it is expanded back into an object. It wasn’t intended for those JNDI lookups to be performed across the Internet, but there wasn’t an explicit check for this behavior, so here we are.

The Log4j Vulnerability: What You Still Need to Know

Easterly adds that “this effort also underscores the urgency of building software securely from the start and more widespread use of Software Bill of Materials (SBOM)” as directed by President Biden earlier this year. An SBOM, Easterly says, “would provide end users with the transparency they require to know if their products rely on vulnerable software libraries.”

CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities

CISA has issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability, directing federal civilian executive branch (FCEB) agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228.

Although ED 22-02 applies to FCEB agencies, CISA strongly recommends that all organizations review ED 22-02 for mitigation guidance. For additional details, see CISA’s webpage Apache Log4j Vulnerability Guidance.

Google Online Security Blog: Understanding the Impact of Apache Log4j Vulnerability

More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. This exploitable feature was enabled by default in many versions of the library.

This vulnerability has captivated the information security ecosystem since its disclosure on December 9th because of both its severity and widespread impact. As a popular logging tool, log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects across the software industry. User’s lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability. Using Open Source Insights, a project to help understand open source dependencies, we surveyed all versions of all artifacts in the Maven Central Repository to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages.

Understanding the Impact of Apache Log4j Vulnerability (Google) [LWN.net]

The Google Security Blog looks into the ripple effects of the Log4j vulnerability.

GIMP is not affected by the log4j vulnerability

Everyone is asking us if GIMP is vulnerable to the recent log4j vulnerabilities (also dubbed “log4shell” in the media, in particular regarding to the CVE-2021-44228 zero-day vulnerability).

As an official statement: no, GIMP is not vulnerable to log4shell!

We do not use log4j and there is not even any Java code in GIMP. So enjoy GIMP and feel safe while creating more wonderful artworks!

Security firm Blumira discovers major new Log4j attack vector

A basic Javascript WebSocket connection can trigger a local Log4j remote code attack via a drive-by compromise. Wonderful. Truly wonderful.

Mars helicopter has Log4j bug, breaks records all the same • The Register

NASA has revealed that Ingenuity – the experimental helicopter sent to Mars with the Perseverance Rover – has clocked up a whole half-hour of flight in the Red Planet's meanly thin atmosphere.

The 'copter passed the thirty-minute mark during its 17th flight, on December 5, which sets a new record for the space agency.

But NASA was unsure of the craft's status because of what the US agency has described as "an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight."

At this point of the story we need to share this old tweet from the Apache Software Foundation.

How to Check If Your Server Is Vulnerable to the log4j Java Exploit (Log4Shell)

A critical exploit in widespread Java library has been found, disrupting much of the internet as server admins scramble to fix it. The vulnerable component, log4j, is used everywhere as an included library, so you will need to check your servers and make sure they’re updated.

[...]

The exploit was quickly patched in log4j‘s latest release, 2.16.0, but the problem isn’t fixing it—it’s finding out where you need to. Since log4j is an embedded dependency, it may be non-trivial to search for the specific version of it on your system. And, since Java is so popular, many third-party tools and components may use it, so you may not even know if you are running Java software on your machines.

Even if you think you aren’t vulnerable, you probably still need to double check. This exploit affects so many systems that there is a solid chance you may be running log4j or Java without realizing it.

Luckily, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the primary attack vector (using LDAP) that’s being exploited the most right now. You still need to patch it regardless, since it can easily be used with other attack vectors as well. Also, just the simple act of making a request to an endpoint can reveal data about machines on your network, which isn’t a good thing either.

This exploit highlights why it is important to keep a Software Bill of Materials (SBOM), basically a list of all the software on your systems, where it comes from, and what it’s made from. In the future, this knowledge can help you quickly patch against attacks like this.

In the present, you are probably just concerned about getting your network patched. To do that, you’ll need to scan your systems to find log4j versions used by your software, and make a list of all the vulnerable components.

Log4j: Everything You Need to Know

Security researchers have warned users that attackers are attempting to exploit a critical vulnerability in the Java logging library Apache Log4j. Log4j is a widely used java library that logs error messages in applications used by enterprise software applications as well as custom built applications intended for in-house usage.

The flaw, which was found to allow unauthenticated remote code execution and access to servers, was discovered first in Minecraft on December 9th, but experts are warning cloud users may also be at risk. There is a variety of software that is potentially vulnerable to being exploited since Log4j is a part of so many different forms of enterprise and open-source software, ranging from email services, cloud platforms, and web applications. The severity of this risk has been deemed a 10 out of 10 after exploits began on the 1st of December. Back in 2013, however, the code was first introduced into the codebase that has now been exploited since December 1st, nine days after public disclosure.

Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis (CVE-2021-44228)

An analysis of the Apache Log4j vulnerability and the architecture of zero-day exploits (CVE-2021-44228) from Nozomi Networks Labs.

“Open source” is not broken

Reading the various hot takes regarding the log4j2 problems has been an exercise in frustration. The fact that the maintainers of this small but important piece of software barely received any donations or other forms of financial support, despite their software being extensively used by some of the largest corporations in the world is not a fault of open source – it’s the fault of garbage corporations only taking, but rarely giving. The issue here is not open source – it’s unchecked capitalism.

That being said, these maintainers, and other people who contribute to open source projects, know full well it’s most likely not going to make them rich, or even allow them to recoup any investments made. That’s the nature of open source, and it seems like the technology world has become so infested with venture capitalists that even the mere idea of someone working on something not for the money, but for other reasons seems entirely alien to a lot of people, meaning open source must, therefore, be broken.

Money corrupts anything it touches. I’m insanely grateful for the almost endless number of people contributing to open source projects not because they expect to become rich, but because they enjoy doing it, to show off their skill, for the community of people they love interacting with, for the recognition it sometimes brings, or for the mere secret knowledge that their small project nobody’s ever heard of is a crucial cog in the massive machinery that keeps the technology world spinning.

Open source isn’t broken. It’s working exactly as intended, and it’s by far the most powerful force in the technology world, and it will outlive any of the corporations so many people bend over backwards to please today.

Massive Log4Shell internet security flaw threatens everyone — what you can do

The very serious server-software flaw named "Log4Shell" that affected many Minecraft players at the end of last week has, as feared, come to affect the entire internet. In terms of potential impact, it's one of the most severe computer-security vulnerabilities the world has ever seen.

"I cannot overstate the seriousness of this threat," researcher Lotem Finkelstein of Israeli security firm Check Point told ZDNet.

His firm has seen more than 850,000 attempted attacks on servers since a working exploit for the vulnerability was posted online Thursday (Dec. 9). Antivirus firm ESET said the U.S., U.K., Turkey, Germany and the Netherlands were seeing the most attacks.

Log4Shell Exploit, Vulnerability Explained: What to do If You're Hacked

An urgent warning is being issued about the server-software flaw named "Log4Shell." Experts refer to it as one of the most severe computer-security vulnerabilities ever discovered. Any user exposed to the Log4Shell vulnerability should expect their personal information, credit card number and online identity to be fully exploited.

EXPLAINER: The security flaw that’s freaked out the internet

Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.

The Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. The affected software is small and often undocumented.

Canadian websites temporarily shut down as world scrambles to mitigate or patch Log4Shell vulnerability

Federal and provincial departments including the Canada Revenue Agency, Employment and Social Development Canada and the Toronto region transportation system Metrolinx took their websites offline over the weekend to deal with the critical log4j2 Java library vulnerability.

How Apache Raced to Fix a Potentially Disastrous Software Flaw

At 2:51 p.m. on Nov. 24, members of an open-source software project received an alarming email. The contents threatened to undermine years of programming by a small group of volunteers and unleash massive cyberattacks across the globe.

“I want to report a security bug,” wrote Chen Zhaojun, an employee on Alibaba Group Holding Ltd.’s cloud-security team, adding “the vulnerability has a major impact.”

The message went on to describe how a hacker could take advantage of Log4j, a widely used software tool, to achieve what’s known as remote code execution, a hackers’ dream because they can remotely take over a computer.

Log4j gets a second update as security woes pile up

Less than a week from the initial disclosure of the high-profile Log4Shell vulnerability, the open source Log4j software has already received a second major update.

The Apache Software Foundation is now advising organizations running Log4j to update the logging tool to version 2.16.0, rather than last week's 2.15.0 build. Unlike last week's update, which limited functions of the vulnerable JNDI (Java Naming and Directory Interface) component, the 2.16.0 build disables the API entirely.

Log4j's project sponsorship skyrockets after critical bug exploitation

Demanding work done for free not sustainable.

The maintainers of the Java Log4j project had only three sponsors, despite the software being a crucial part of large companies' commercial products and enterprise applications.

Roger Goers, the intial Log4j coder and member of the Apache Software Foundation now has 58 mostly individual sponsors at the time of publishing.

Log4j is a popular logging library for Java which, due to insecure handling of directory lookups, allows the remote execution of arbitrary code in its default configuration.

What Is Log4j? The Security Flaw That's Freaking Out the Internet

Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.

US Warns Hundreds of Millions of Devices at Risk Over New Software Vulnerability

Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability, as a senior Biden administration cyber official warned executives from major U.S. industries Monday that they need to take action to address “one of the most serious” flaws she has seen in her career.

As major tech firms struggle to contain the fallout, U.S. officials held a call with industry executives warning that hackers are actively exploiting the vulnerability.

For now, cybersecurity analysts told CNN, the pressure is on tech companies to clean up their software code and on big businesses to figure out if they are affected by the flaw. But because the vulnerability is so widespread, and likely present in things like popular apps and websites, consumers could also feel the fallout if those services get hacked.

The Log4j security flaw could impact the entire internet. Here's what you should know

This security flaw could impact the entire internet. Here's what you should know

Software Flaw Sparks Global Race to Patch Bug

Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks.

Software vulnerability expected to persist, possibly for months

A flaw in a widely used piece of free internet software is prompting companies to rush to update their systems and prevent cyberattacks, but the technology’s ubiquity means the threat could affect businesses for months, security researchers say.

A software flaw exposes major companies' servers

Mars helicopter mission (which Apache says is powered byLog4j) overcomes separate network glitch to confirm new flight record

NASA has revealed that Ingenuity – the experimental helicopter sent to Mars with the Perseverance Rover – has clocked up a whole half-hour of flight in the Red Planet's meanly thin atmosphere.

The 'copter passed the thirty-minute mark during its 17th flight, on December 5, which sets a new record for the space agency.

But NASA was unsure of the craft's status because of what the US agency has described as "an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight."

Minecraft Log4J bug ‘worst computer vulnerability' in years, experts warn

People with the popular internet game Minecraft on their computers could be at risk of having data stolen or even erased by hackers.

The bug in software known as Log4J is a risk to any internet-connected device, including phones and tablets and it is rapidly emerging as a major threat, WalesOnline reported.

Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike said: “The internet’s on fire right now.

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

As it happens, the above quote comes from the NSCS’s guide for company boards-of-directors, in a section that warns top management to take steps to avoid burnout in cybersecurity teams.

But we’ve already needed to write this week about Apple’s latest security updates, which apply to all the company’s products, and include fixes for almost every sort of security risk you can think of.

[...]

Apple’s patches don’t deal with Log4Shell, but they do close other holes all the way from kernel compromise (think: spyware implants) to privacy bypasses (think: configuration hacks and data leakage)...

VLC and log4j

Since its very early days in 1996, VideoLAN software is written in programming languages of the C family (mostly plain C with additions in C++ and Objective-C) with the notable exception of its port to Android, which was started in Java and recently transitioned to Kotlin. VLC does not use the log4j library on any platform and is therefore unaffected by any related security implications.

The [Internet] runs on free open-source software. Who pays to fix it?

The truth is different: Log4J, which has long been a critical piece of core internet infrastructure, was founded as a volunteer project and is still run largely for free, even though many million- and billion-dollar companies rely on it and profit from it every single day. Yazici and his team are trying to fix it for next to nothing.

This strange situation is routine in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become critical to the functioning of the internet. When it goes right, open-source is a collaborative triumph. When it goes wrong, it’s a far-reaching danger.

“Open-source runs the internet and, by extension, the economy,” says Filippo Valsorda, a developer who works on open-source projects at Google. And yet, he explains, “it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”

Security News This Week: Buckle Up for More Log4j Madness

IT FEELS LIKE the world has a lot of Pandora's boxes open at once right now. Last week another crisis came into view with disclosure of a vulnerability in the widely used open source Apache logging library Log4j. Since then, system administrators, incident responders, and governments have been scrambling to install patches and reduce the threat. The bug is simple for attackers to exploit and can lead to full server takeover. Patching is on the rise, but Apache has had to release additional fixes that now must be installed. After some preliminary probing and exploitation from attackers around the world, defenders are bracing for a brutal next wave. And they say that vulnerable systems will lurk in networks for years, just waiting to be discovered and exploited.

Meanwhile, researchers put the surveillance-for-hire industry on blast this week as Meta took down infrastructure on its platforms from seven companies that had targeted more than 50,000 of the company's users and others. And Google's Project Zero did a deep technical analysis of NSO Group's ForcedEntry iOS exploit, underscoring just how sophisticated a private organization's hacking tools can be. WIRED also took a look at growth tactics of the world's largest deepfake abuse site that uses AI to generate false nude images.

With all of this targeted hacking and misinformation floating around, check out WIRED's guide to defending yourself against “smishing” or SMS phishing attacks deployed by everyone from the most elite hackers down to run-of-the-mill spammers.

And there's more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

Josh Bressers: Episode 302 – Log4j is a mess

Josh and Kurt talk about the same topic everyone is talking about, Log4j. This episode was recorded on the Wednesday after the first Log4j issue. We point out all the gaps and difficulties for the defenders. The situation has gotten worse since then.

Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations

Due to the extraordinary widespread use of the open-source Apache Log4j library, the saga of the Log4Shell (CVE-2021-44228) vulnerability is nowhere near finished.

As Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, recently noted, “Log4Shell will continue to haunt us for years to come.”

His advice? “Dealing with Log4Shell will be a marathon. Treat it as such.” So let’s see what’s the latest news that can impact your mitigation and remediation efforts.

Log libraries and the tendency to open holes in things

Logging stuff is in the news this week. Specifically, people with Java and log4j somewhere in their lives are having a miserable time. I figured I'd re-tell a story about terrible things done by way of a bunch of feature-rich libraries and dubious interconnections. I've mentioned this in passing before, but this time I've tried to be much more specific about how it works.

This is a tale that's happened at multiple distinct companies, and I have to imagine it's happening (or *is happening*) at several more. Note that while I'm picking on the G* stuff here since it's open source and thereby more likely to resonate with readers, reimplementations of these libraries under other names have also introduced the same problems to those companies.

Log4j flaw needs immediate remediation

After nearly two years of adopting major network and security changes wrought by COVID-19 and hybrid work, weary IT network and security teams didn’t need another big issue to take care of, but they have one: Stemming potential damage from the recently disclosed vulnerability in open source Java-logging Apache Log4j software.

Log4j or Log4Shell has been around a long time—it was released in January, 2001—and is widely used in all manner of enterprise and consumer services, websites, and applications. Experts describe the system as an easy-to-use common utility to support client/server application development.

The Real Fix for Log4j Isn't a Patch.

The log4j exploit requires unrestricted outbound traffic. Again, we're not there yet – few organizations have outbound whitelists for every service, and in many cases, we don't have the right architecture to isolate certain restrict different parts of the same process (e.g. first-party application code should be able to reach out to the [Internet], but third-party libraries like loggers should not).

Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228 & CVE-2021-45046)

A few days ago, a serious new vulnerability was identified in Apache log4j v2 and published as CVE-2021-44228. We were one of the first security companies to write about it, and we named it "Log4Shell".

AMD slips by as Log4Shell exploit affects other top tech giants, such as Intel, Microsoft, and NVIDIA

Four days ago, the Log4Shell Java exploit was unearthed, allowing hackers to take control of exposed web-facing servers by sending and activating a malicious string of text, affecting tech giants such as Microsoft, NVIDIA, and Intel. This exploit is located in the open-source Apache Log4j library that logs events and errors inside Java-based applications.

How to check if your Linux servers are vulnerable to the Log4j flaw with a single command - TechRepublic

Jack Wallen shows you a quick way to test if your Linux servers are vulnerable to the Log4j vulnerability.

Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

This advisory expands on CISA’s previously published guidance, drafted in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), by detailing recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities.

Log4j vulnerability now used to install Dridex banking malware

When executed, the VBS file will check if the user is part of a Windows domain by checking various environment variables. If the user is part of a domain, the VBS file will download the Dridex DLL and execute it using Rundll32.exe, as shown below.

Open-source software holds the key to solving Log4Shell-like problems

Earlier this month, the existence of a critical vulnerability in Apache Log4j 2 was revealed and a PoC for it published. Dubbed Log4Shell, it’s an issue in a logging library for Java applications that is widely used across popular open-source projects and enterprise-grade back-end applications. Log4Shell introduced a critical security risk, scoring 10 out of 10 in severity.

Security chief warns of new telco core threat, Security | TelecomTV

Przemysław Dęba, security chief at Orange Poland, has taken to Twitter to highlight a security warning to telcos from P1 Security, a telecoms security software and services specialist. The company’s R&D unit, P1 Labs, today warned of Log4Shell, a “a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.”

Essentially, it exploits a vulnerability in signalling messages, and that puts telco core network systems at risk from attack, and The Apache Software Foundation, of which Log4j is a project, has given Log4Shell a “CVSS [Common Vulnerability Scoring System] severity rating of 10, the highest available score. It is estimated that the exploit affects hundreds of millions of devices,” according to P1. Check out the full explanation from P1 Labs here.

Belgian defence ministry admits attackers accessed its computer network by exploiting Log4j vulnerability

The Belgian Ministry of Defence has suffered a cyber attack after miscreants exploited one of the vulnerabilities in Log4j. The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws.

The attack took place last week, as reported by Flemish-language TV news station VRT, which said "some of the ministry's activities were paralysed for several days."

Belgian MoD spokesman Olivier Severin said in a prepared statement seen by The Register: "Defence discovered an attack on its computer network with internet access on Thursday. Quarantine measures were quickly taken to isolate the affected parts. The priority is to keep the defence network operational."

Log4Shell — Preparing for What Comes Next

We’re now at about the two week point after news of the vulnerability in the Apache Foundation’s Log4j logging tool for Java, dubbed Log4Shell, splashed into the headlines.

For a catch up on what this story is all about and a guide for how to kickstart your mitigation efforts, check out our post from 12 December before continuing to read.

Bad things come in threes: Apache reveals another Log4J bug

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.

CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.

That’s the third new version of the tool in the last ten days.

In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.

Alibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing

China’s technology ministry suspended work with Alibaba Cloud over what it called untimely reporting to authorities of the flaw affecting users world-wide

‘Perfect storm’: Inside the race to fix a potentially disastrous software flaw

At 2:51 p.m. on Nov. 24, members of an open-source software project received an alarming email. The contents threatened to undermine years of programming by a small group of volunteers and unleash massive cyberattacks across the globe.

“I want to report a security bug,” wrote Chen Zhaojun, an employee on Alibaba Group’s cloud-security team, adding, “the vulnerability has a major impact.”

The message went on to describe how a hacker could take advantage of Log4j, a widely used software tool, to achieve what’s known as remote code execution, a hackers’ dream because they can remotely take over a computer.

The message ultimately set off a global race to update critical computer systems, with senior U.S. cybersecurity officials describing the discovery as a “significant threat.” Left unfixed, the software could give attackers unfettered access to untold millions of computer systems.

Real-Time Protection of Log4j with AppTrana – Through its Risk-Based Approach

With the discovery of Log4j vulnerability on December 9th (Also known as Log4shell), the cybersecurity world has gone on a tailspin. It is one of the most potent vulnerabilities identified in recent times. It is estimated that millions of systems were left exposed, resulting in large attempts by hackers to exploit the vulnerability. It is estimated more than a million attacks have been launched since the vulnerability was identified.

China regulator suspends cyber security deal with Alibaba Cloud

Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group (9988.HK), over accusations it failed to promptly report and address a cybersecurity vulnerability, according to state-backed media reports.

Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China's telecommunications regulator, according to 21st Century Business Herald, citing a recent notice by the Ministry of Industry and Information Technology (MIIT).

Major security flaw leaves companies vulnerable to ransomware

Apache's new security update for HTTP Server fixes two flaws

The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10.

Josh Bressers: Episode 303 – Log4j Christmas Spectacular!

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn’t have caught this. There are still a lot of things to unpack with this event. We are sure we’ll be talking about it well into the future.

Check for Log4j vulnerabilities with this simple-to-use script

One great thing about Linux and the open source community is that as soon as a vulnerability is detected, developers are hard at work releasing tools to mitigate the problem. Such is the case with the Log4j vulnerability.

What is Log4j? The Latest Internet Vulnerability

So what is this humble piece of internet infrastructure, how can hackers exploit it and what kind of mayhem could ensue?

Open source security leader Brian Behlendorf discusses the impact of Log4j

For the last few weeks, the world of computer security has been turned upside down as teams struggled to understand if they needed to worry about the Log4j vulnerability. The relatively small Java library didn’t do anything flashy, but it was a well-built open source tool for tracking software events, and that made it popular with Java developers. That meant it often found its way into corners that people didn’t expect.

While the security teams will continue to debate the nature of the flaw itself and search for similar problems, many are wondering how this might change the industry’s reliance on open source practices. Everyone enjoys the free tools until a problem like this appears. Is there a deeper issue with open source development that brought this about? Can society continue to rely upon the bounty of open source without changing its expectations and responsibilities?

VentureBeat talked to Brian Behlendorf to understand the depth of the problem and also try to make sense of how software developers can prevent another flaw like this from getting such wide distribution. Behlendorf was one of the original developers of the Apache web servers, and he’s long been a leader of open source development. He’s been working with the Linux Foundation and the Open Source Security Foundation (OpenSSF) to find better practices and support them throughout the open source ecosystem.

Lesson from Log4j: Open-source software improvements need help from feds

Open source isn't the security problem – misusing it is [Ed: Richard Waters has a long history attacking Free software [1, 2, 3, 4, 5, 6, 7]; his employer receives money from Bill Gates]

We're going to be cleaning up Apache Log4j security problems for months to come, but the real problem isn't that it was open-source software. It's how we track and use open-source code.

When security vulnerabilities were found in the extremely popular open-source Apache Log4j logging library, we knew we were in trouble. What we didn't know was just how much trouble we were in. We know now. Just ask the Belgian defence ministry. In this ongoing security disaster, many people blame open source for all our troubles.

In the Financial Times (FT), Richard Waters, the newspaper's west coast editor, wrung his hands, saying it's a "little alarming to discover that, more than two decades into the open-source era, glaring security holes sometimes surprise even the experts."

Surprising? I think not. It's software. It always has bugs. Sometimes they're really bad bugs. As security maven Bruce Schneier said over 20 years ago: "Security is a process, not a product." There's no surprise here.

5 Highlights from the U.S. Senate’s Log4J Vulnerability Hearing

On Tuesday, Feb. 8, the U.S. Senate Committee on Homeland Security and Governmental Affairs convened a hearing titled “Responding to and Learning from the Log4Shell Vulnerability.” The hearing’s intent was to facilitate discussion of Log4J vulnerability and industry’s response to it, along with the broader topic of software security.