Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2532" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> Apache Releases 2.17 the Third Patch to Address a New log4j Flaw</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> <li data-xf-list-type="ol"><strong>Ransomware Attack</strong></li> </ol><p><strong>Apache Releases 2.17 the Third Patch to Address a New log4j Flaw</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>The Apache Software Foundation (ASF) was forced to release the third version in a week (version 2.17.0) to fix a ‘High’ severity Denial of Service (DoS) vulnerability in the log4j 2.16 tracked as CVE-2021-45105.</p><p></p><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2021-45105</a></p><p></p><p>“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.”</p><ul> <li data-xf-list-type="ul"><a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">https://logging.apache.org/log4j/2.x/security.html</a></li> </ul><p>State-sponsored actors continue to leverage the Log4j vulnerabilities for various malicious purposes, including the deployment of ransomware. Conti ransomware operators were observed exploiting public-facing protocols and services for initial access and then leveraging the vulnerability to bypass access controls/restrictions to deploy final payloads. Companies rushed to patch the plethora of devices using the Log4j service to find out that they were incomplete.</p><p></p><p>“Immediately after the disclosure of the exploit, Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-44228) in the Log4J library in their campaigns. Some of the groups exploiting the vulnerability are China-linked Hafnium and Iran-linked Phosphorus, the former group is using the flaw to attack virtualization infrastructure, the latter to deploy ransomware, (<a href="https://securityaffairs.co/wordpress/125760/hacking/log4j-third-flaw.html" target="_blank">SecurityAffairs, 2021</a>).”</p><p></p><p><strong>Analyst Comments:</strong></p><p>The CVE-2021-45105 vulnerability received a CVSS score of 7.5, it is a DoS flaw that impacts log4j 2.16. The experts pointed out that even if JNDI lookups were disabled in version 2.16, self-referential lookups remained a possibility under certain circumstances.</p><p></p><p>The Apache Software Foundation (ASF) fixed the CVE-2021-45105 flaw with the release of log4j version 2.17.0 (for Java 8).</p><p></p><p><strong>Source:</strong></p><p><a href="https://securityaffairs.co/wordpress/125760/hacking/log4j-third-flaw.html" target="_blank">https://securityaffairs.co/wordpress/125760/hacking/log4j-third-flaw.html</a></p><p><a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">https://logging.apache.org/log4j/2.x/security.html</a></p><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2021-45105</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2532, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Apache Releases 2.17 the Third Patch to Address a New log4j Flaw[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [*][B]Ransomware Attack[/B] [/LIST] [B]Apache Releases 2.17 the Third Patch to Address a New log4j Flaw Summary:[/B] The Apache Software Foundation (ASF) was forced to release the third version in a week (version 2.17.0) to fix a ‘High’ severity Denial of Service (DoS) vulnerability in the log4j 2.16 tracked as CVE-2021-45105. [URL]https://nvd.nist.gov/vuln/detail/CVE-2021-45105[/URL] “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.” [LIST] [*][URL]https://logging.apache.org/log4j/2.x/security.html[/URL] [/LIST] State-sponsored actors continue to leverage the Log4j vulnerabilities for various malicious purposes, including the deployment of ransomware. Conti ransomware operators were observed exploiting public-facing protocols and services for initial access and then leveraging the vulnerability to bypass access controls/restrictions to deploy final payloads. Companies rushed to patch the plethora of devices using the Log4j service to find out that they were incomplete. “Immediately after the disclosure of the exploit, Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-44228) in the Log4J library in their campaigns. Some of the groups exploiting the vulnerability are China-linked Hafnium and Iran-linked Phosphorus, the former group is using the flaw to attack virtualization infrastructure, the latter to deploy ransomware, ([URL='https://securityaffairs.co/wordpress/125760/hacking/log4j-third-flaw.html']SecurityAffairs, 2021[/URL]).” [B]Analyst Comments:[/B] The CVE-2021-45105 vulnerability received a CVSS score of 7.5, it is a DoS flaw that impacts log4j 2.16. The experts pointed out that even if JNDI lookups were disabled in version 2.16, self-referential lookups remained a possibility under certain circumstances. The Apache Software Foundation (ASF) fixed the CVE-2021-45105 flaw with the release of log4j version 2.17.0 (for Java 8). [B]Source:[/B] [URL]https://securityaffairs.co/wordpress/125760/hacking/log4j-third-flaw.html[/URL] [URL]https://logging.apache.org/log4j/2.x/security.html[/URL] [URL]https://nvd.nist.gov/vuln/detail/CVE-2021-45105[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu