What to do if my java app is still vulnerable to log4shell after upgrading to the latest log4J?

My Java 11 application is being upgraded to fix the log4shell flaw. So first Spring Boot has been upgraded to the latest version.
As my project uses Maven to manage its dependencies, I set the log4j version in the dependencyManagement sect… Continue reading What to do if my java app is still vulnerable to log4shell after upgrading to the latest log4J?

In studying tech supply chain, feds cite open source products, device firmware

Open-source software and device firmware are two of the biggest areas of vulnerability in the supply chains for information and communications technology, according to a federal report Thursday that called for better risk management practices and improved monitoring efforts by government and industry. Another area that potentially affects U.S. cybersecurity is a shrinking manufacturing base for hardware, including a “significant reduction” in the related workforce, the report said. The Biden administration asked the departments of Commerce and Homeland Security for the review under an executive order signed in February 2021 as the White House worked to address challenges in the supply chains for goods and services overall. At the time, the breach of SolarWinds’ software supply chain by Russia-linked hackers had riled Washington, and Thursday’s report comes as the government and cybersecurity industry are still responding to the Log4shell bug found in December 2021 in a widely used piece of […]

The post In studying tech supply chain, feds cite open source products, device firmware appeared first on CyberScoop.

Continue reading In studying tech supply chain, feds cite open source products, device firmware

Google Cloud offers good news and bad news on Log4Shell, other issues

Google Cloud is seeing 400,000 scans per day for systems vulnerable to the Log4Shell bug, the company said Tuesday. The findings — released as part of the company’s semi-regular Threat Horizons report — show that IT security professionals need to “keep paying attention to this, because the scans keep coming, and if you leave one vulnerable instance open, you’re going to be found,” Phil Venables, the chief information security officer at Google Cloud, told CyberScoop. That said, the companies interacting with Google Cloud have “been very much on top of this,” according to Venables. The warning comes as a reminder, however, to security professionals to keep doing the work of finding the devices and software vulnerable to the Log4Shell bug, which affects versions of the widely used Log4j logging software that haven’t been patched since early December. Shane Huntley, the head of Google’s Threat Analysis Group, said that the daily […]

The post Google Cloud offers good news and bad news on Log4Shell, other issues appeared first on CyberScoop.

Continue reading Google Cloud offers good news and bad news on Log4Shell, other issues

CISA’s new JCDC worked as intended, witnesses say at Senate hearing on Log4Shell bug

Changes in federal cybersecurity leadership over the past year allowed the private and public sectors to quickly work together in responding to the disclosure of the Log4shell bug last month, experts said Tuesday at a Senate hearing. Witnesses at the Homeland Security and Governmental Affairs Committee hearing praised the usefulness of the Joint Cyber Defense Collaborative, a new center launched by the Cybersecurity and Infrastructure Security Agency in August to help federal agencies, the private sector and state and local governments collaborate on cyberthreat response. “Its structure provided a body to scramble a snap call on Saturday afternoon after Log4shell emerged to allow industry competitors act as partners with the government to share raw situational awareness and we must continue building upon this partnership,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42. The witnesses warned that the fallout from Log4shell — a vulnerability in […]

The post CISA’s new JCDC worked as intended, witnesses say at Senate hearing on Log4Shell bug appeared first on CyberScoop.

Continue reading CISA’s new JCDC worked as intended, witnesses say at Senate hearing on Log4Shell bug

How did Alibaba Cloud Security Team engineer discover the log4j vulnerability? Reverse Engineering, Fuzzing, both or?

How did the Alibaba Cloud Security Team engineer discover the Log4Shell (CVE-2021-44228) vulnerability? What was the detailed account of the discovery and/or the events leading up to the discovery?
More importantly, what are the techniques… Continue reading How did Alibaba Cloud Security Team engineer discover the log4j vulnerability? Reverse Engineering, Fuzzing, both or?

Chinese hackers use Log4j exploit to go after academic institution

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday. Threat analysts observed the group attempting to install malware after gaining access using a modified version of a Log4j exploit for VMWare Horizon, a virtual workspace technology. CrowdStrike also observed the Chinese hackers trying to harvest credentials for further exploitation. CrowdStrike analysts believe that the group behind the attack, which it is calling “Aquatic Panda,” has likely been active since at least May 2020. Its operations have primarily focused on targets in the telecommunications, technology and government sectors. “Because OverWatch disrupted the attack before AQUATIC PANDA could take action on their objectives, their exact intent is unknown,” Param Singh, vice president of CrowdStrike OverWatch, wrote to CyberScoop in an email. “This adversary, however, is known to use tools to maintain persistence in environments […]

The post Chinese hackers use Log4j exploit to go after academic institution appeared first on CyberScoop.

Continue reading Chinese hackers use Log4j exploit to go after academic institution