Log4Shell

[Grey Havoc]

Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace

Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.

www.lunasec.io

'The internet's on fire' as techs race to fix software flaw

Computer security experts around the world are racing to patch one of the worst software vulnerabilities discovered in years.

apnews.com

 

[Grey Havoc]

Software Flaw Sparks Global Race to Patch Bug

Cybersecurity researchers say they have seen thousands of attempts to exploit the bug.

www.wsj.com

 

[Grey Havoc]

The time bombs ticking inside the world’s software

The worst open-source software vulnerability in years, a big week for HashiCorp, and why the Pentagon’s JEDI sequel is really a whole new story.

www.protocol.com

 

[Grey Havoc]

Cyber experts express growing alarm over Apache vulnerability

A vulnerability in a widely used logging platform uncovered late last week has left security professionals and officials scrambling to respond and patch systems before other nations and cybercrimin…

thehill.com

 

[Grey Havoc]

DNyuz - Latest Breaking U.S. News

Latest Breaking News, U.S. and World Politics, Crime, Business, Science, Technology, Autos, Entertainment, Culture, Movie, Music, Sports.

dnyuz.com

 

[Grey Havoc]

Hackers Backed by China Seen Exploiting Security Flaw in Internet Software - Slashdot

Hackers linked to China and other governments are among a growing assortment of cyberattackers seeking to exploit a widespread and severe vulnerability in computer server software, according to cybersecurity firms and Microsoft. From a report: The involvement of hackers whom analysts have linked...

it.slashdot.org

Security Firm Blumira Discovers Major New Log4j Attack Vector - Slashdot

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered...

developers.slashdot.org

 

[Grey Havoc]

More Than 35,000 Java Packages Impacted by Log4j Vulnerabilities, Google Says - Slashdot

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell...

tech.slashdot.org

Belgian Defense Ministry Confirms Cyberattack Through Log4j Exploitation - Slashdot

An anonymous reader quotes a report from ZDNet: The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did...

it.slashdot.org

 

[muttly]

And so it begins.

 

[overscan (PaulMM)]

 

[overscan (PaulMM)]

Modern development techniques relies a lot on reusing existing open source code downloaded from the internet to speed up development. This creates the situation where a popular framework, library or tool gets used all over the place, creating a 'perfect storm' when it turns out to have a security issue. Also lots of the code in "your app" was actually written by unknown programmers on the internet.

 

[Grey Havoc]

China Regulators Suspend Alibaba Cloud Partnership Over Log4Shell Reporting - Slashdot

AltMachine writes: "Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address [the Log4Shell vulnerability]," reports Reuters, citing...

it.slashdot.org

 

[Grey Havoc]

From back in early December:

New Zero-Day In the Log4j Java Library Is Already Being Exploited - Slashdot

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. ZDNet reports: Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote...

developers.slashdot.org

 

[Grey Havoc]

Iranian Hackers Breached Federal Agency Using Log4Shell Exploit - Slashdot

An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the...

it.slashdot.org