Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2540" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> Third Log4J Bug Can Trigger DoS; Apache Issues Patch</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> </ol><p><strong>Third Log4J Bug Can Trigger DoS; Apache Issues Patch</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>“No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.</p><p></p><p>Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch.</p><p></p><p>It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data, (<a href="https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/" target="_blank">Threatpost, 2021</a>).”</p><p></p><p><strong>Analyst Comments:</strong></p><p>It was safe to assume that an additional patch would be released after the announcement of version 2.16. Researchers disclosed various vulnerabilities that could result in data exfiltration and denial service after its release, so it was likely that the bugs were not addressed. Apache is now urging organizations to patch to version 2.17 to mitigate the possibility of a DOS attack targeting servers using log4j. Given the current state of things, additional vulnerabilities and patches may be released soon. Companies should implement as many technical safeguards available as possible in addition to patching products.</p><p></p><p><strong>Source:</strong></p><p><a href="https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/" target="_blank">https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2540, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Third Log4J Bug Can Trigger DoS; Apache Issues Patch[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [/LIST] [B]Third Log4J Bug Can Trigger DoS; Apache Issues Patch Summary:[/B] “No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch. It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data, ([URL='https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/']Threatpost, 2021[/URL]).” [B]Analyst Comments:[/B] It was safe to assume that an additional patch would be released after the announcement of version 2.16. Researchers disclosed various vulnerabilities that could result in data exfiltration and denial service after its release, so it was likely that the bugs were not addressed. Apache is now urging organizations to patch to version 2.17 to mitigate the possibility of a DOS attack targeting servers using log4j. Given the current state of things, additional vulnerabilities and patches may be released soon. Companies should implement as many technical safeguards available as possible in addition to patching products. [B]Source:[/B] [URL]https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu