CVE-2021-44228 zero-day in Java library Apache Log4j

Topic

New Reply

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Exploited vulnerability can be used against a number of services, including Apple’s iCloud, Valve’s Steam, Microsoft’s Minecraft, …

Description
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”…

RCE 0-day exploit found in log4j, a popular Java logging package

2 users thanked author for this post.

Nibbled To Death By Ducks, EyesOnWindows

Reply | Quote

Replies

This looks very different to the general internet:

‘The internet’s on fire’ as techs race to fix software flaw

“A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.”

“The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software.”

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

1 user thanked author for this post.

Alex5723

Reply | Quote

Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit

If you’ve patched using Log4J 2.15.0, it’s time to consider updating again.

Last Thursday, the world learned of an in-the-wild exploitation of a critical code-execution zero-day in Log4J, a logging utility used by just about every cloud service and enterprise network on the planet. Open source developers quickly released an update that patched the flaw and urged all users to install it immediately.

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046…

The Apache Log4j 2 team is pleased to announce the Log4j 2.16.0 release!

1 user thanked author for this post.

b

Reply | Quote