Jen Easterly, director of CISA says Log4j is the worst she has seen and that they will run for years

Darkcrizt

5 minutes

log4j

The director of CISA, Jen Easterly says Log4j's security flaw is the worst she's seen in his carrer and security professionals will face the consequences from error for a long time.

If left unpatched the main security flaw discovered a month ago in the Java Apache Log4j logging library poses risks for large sectors of the Internet, hackers could exploit the vulnerability of widely used software to hijack computer servers, putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.

On December 9, it was discovered a vulnerability in the Apache log4j log library. This library is widely used in Java / J2EE application development projects, as well as by providers of standard Java / J2EE-based software solutions.

Log4j includes a search mechanism that could be used to query via special syntax in a format string. By default, all requests are made with the prefix java: comp / env / *; but nevertheless, the authors implemented the option to use a custom prefix using a colon symbol in the clef. This is where the vulnerability lies: if jndi: ldap: // is used as the key, the request goes to the specified LDAP server. Other communication protocols such as LDAPS, DNS, and RMI can also be used.

Therefore, a remote server controlled by an attacker could return an object to a vulnerable server, which could lead to arbitrary code execution on the system or confidential data leakage. All an attacker has to do is send a special string through the mechanism that writes this string to a log file and is therefore managed by the Log4j library.

This can be done with simple HTTP requests, for example, those sent through web forms, data fields, etc., or with any other type of interactions using the server-side registry.

  • Version 2.15.0 did not resolve another issue, CVE-2021-45046, which allowed a remote attacker to control the Thread Context Map (MDC) to prepare a malicious entry using a JNDI search pattern. The result could be remote code execution, luckily not in all environments.
  • Version 2.16.0 fixed this problem. But it didn't fix CVE-2021-45105, which Apache Software Foundation describes as follows:

“Apache Log2.0j1 versions 2.16.0-alpha4 to 2 did not protect against uncontrolled repetition of self-referential searches. When the registry configuration uses a different template layout than the default with a context lookup (for example, $$ {ctx: loginId}), attackers controlling Thread Context Map (MDC) input data can create login data. Malicious entry containing a recursive search. , which generates a StackOverflowError that will end the process. This is also known as a denial of service (DOS) attack.

The vendor-independent bug bounty program, Zero Day Initiative, described the flaw as follows:

“When a nested variable is replaced by the StrSubstitutor class, it recursively calls the substitution class (). However, when the nested variable refers to the variable to be replaced, recursion is called with the same string. This leads to infinite recursion and a DoS condition on the server ”.

Another critical remote code execution bug now tracked as CVE-2021-44832 was discovered in the same Apache Log4j log library. This is the fourth vulnerability in the Log4j library.

Rated "moderate" in severity with a score of 6,6 on the CVSS scale, the vulnerability stems from the lack of additional controls over JDNI access in log4j.

Apache security team released another version of Apache Log4J (version 2.17.1) which fixes the recently discovered remote code execution bug CVE-2021-44832. This is another bad situation for most of the users but again it is highly recommended to update your system to fix this critical issue.

No U.S. federal agency has been compromised due to the vulnerability, Jen Easterly told reporters in a call. Additionally, no major cyber attacks related to the bug have been reported in the United States, although many attacks go unreported, he said.

Easterly said the extent of the vulnerability, affecting tens of millions of devices connected to the Internet, makes it the worst he's ever seen in his career. Attackers may bide their time, he said, waiting for companies and others to lower their defenses before attacking.

"We hope that Log4Shell will be used for intrusions in the future," Easterly said. He noted that the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, was due to a vulnerability in open source software.

So far, most attempts to exploit the bug have focused on low-level cryptocurrency mining or attempts to lure devices into botnets, he said.

Source: https://www.cnet.com


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   luix said
    ago 2 years

    It's because of the over-engineering. Each component must do only one thing and do it well. But developers have a bad habit of placing layers and layers and unnecessary functionalities, which do not make it more complex and prone to this type of failure .. I said ..

    Reply to luix