Log4Shell – WindowsTechs.com

At RSA, Akamai put focus on fake sites, API vulnerabilities

Posted on May 2, 2023 by Karl Greenberg

At the RSA Conference Akamai launched a new security platform for fake websites and touted its focus on protecting application protocol interfaces, or APIs.
The post At RSA, Akamai put focus on fake sites, API vulnerabilities appeared first on TechRepu… Continue reading At RSA, Akamai put focus on fake sites, API vulnerabilities→

Log4j vulnerabilities can you mitigate them using a 1.X version [closed]

Posted on February 22, 2023 by SAAD K

We have a project in which we are using log4j and we have just performed a vulnerability test and the result was that Log4j is causing security issues.
Can we mitigate the risks using a 1.x Log4j version? and if so how?
And if not what ver… Continue reading Log4j vulnerabilities can you mitigate them using a 1.X version [closed]→

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

Posted on January 23, 2023 by Jonathan Reed

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure […]

The post Log4j Forever Changed What (Some) Cyber Pros Think About OSS appeared first on Security Intelligence.

Continue reading Log4j Forever Changed What (Some) Cyber Pros Think About OSS→

Dangerous hole in Apache Commons Text – like Log4Shell all over again

Posted on October 18, 2022 by Paul Ducklin

Third time unlucky. Time to put your patching boots on again… Continue reading Dangerous hole in Apache Commons Text – like Log4Shell all over again→

8 months on, US says Log4Shell will be around for “a decade or longer”

Posted on July 18, 2022 by Paul Ducklin

When it comes to cybersecurity, ask not what everyone else can do for you… Continue reading 8 months on, US says Log4Shell will be around for “a decade or longer”→

This Week in Security: Java’s Psychic Signatures, AWS Escape, And a Nasty Windows Bug

Posted on April 22, 2022 by Jonathan Bennett

Java versions 15, 16, 17, and 18 (and maybe some older versions) have a big problem, ECDSA signature verification is totally broken. The story is a prime example of the …read more Continue reading This Week in Security: Java’s Psychic Signatures, AWS Escape, And a Nasty Windows Bug→

‘Spring4Shell’ bug in framework for Java programming draws widespread warnings

Posted on April 1, 2022 by Joe Warminsky

Web applications created in the Spring platform could leave users open to remote code execution, CISA and others are warning.

The post ‘Spring4Shell’ bug in framework for Java programming draws widespread warnings appeared first on CyberScoop.

Continue reading ‘Spring4Shell’ bug in framework for Java programming draws widespread warnings→

What to do if my java app is still vulnerable to log4shell after upgrading to the latest log4J?

Posted on March 6, 2022 by HelloWorld

My Java 11 application is being upgraded to fix the log4shell flaw. So first Spring Boot has been upgraded to the latest version.
As my project uses Maven to manage its dependencies, I set the log4j version in the dependencyManagement sect… Continue reading What to do if my java app is still vulnerable to log4shell after upgrading to the latest log4J?→

In studying tech supply chain, feds cite open source products, device firmware

Posted on February 25, 2022 by Joe Warminsky

Open-source software and device firmware are two of the biggest areas of vulnerability in the supply chains for information and communications technology, according to a federal report Thursday that called for better risk management practices and improved monitoring efforts by government and industry. Another area that potentially affects U.S. cybersecurity is a shrinking manufacturing base for hardware, including a “significant reduction” in the related workforce, the report said. The Biden administration asked the departments of Commerce and Homeland Security for the review under an executive order signed in February 2021 as the White House worked to address challenges in the supply chains for goods and services overall. At the time, the breach of SolarWinds’ software supply chain by Russia-linked hackers had riled Washington, and Thursday’s report comes as the government and cybersecurity industry are still responding to the Log4shell bug found in December 2021 in a widely used piece of […]

The post In studying tech supply chain, feds cite open source products, device firmware appeared first on CyberScoop.

Continue reading In studying tech supply chain, feds cite open source products, device firmware→

Google Cloud offers good news and bad news on Log4Shell, other issues

Posted on February 15, 2022 by AJ Vicens

Google Cloud is seeing 400,000 scans per day for systems vulnerable to the Log4Shell bug, the company said Tuesday. The findings — released as part of the company’s semi-regular Threat Horizons report — show that IT security professionals need to “keep paying attention to this, because the scans keep coming, and if you leave one vulnerable instance open, you’re going to be found,” Phil Venables, the chief information security officer at Google Cloud, told CyberScoop. That said, the companies interacting with Google Cloud have “been very much on top of this,” according to Venables. The warning comes as a reminder, however, to security professionals to keep doing the work of finding the devices and software vulnerable to the Log4Shell bug, which affects versions of the widely used Log4j logging software that haven’t been patched since early December. Shane Huntley, the head of Google’s Threat Analysis Group, said that the daily […]

The post Google Cloud offers good news and bad news on Log4Shell, other issues appeared first on CyberScoop.

Continue reading Google Cloud offers good news and bad news on Log4Shell, other issues→