Yet Another Massive Cybersecurity Threat

Joined
Jan 31, 2006
Messages
4,440
Location
Idaho

The vulnerability, uncovered earlier this month, has quickly snowballed into one of the most widespread cybersecurity vulnerabilities in recent years, with security professionals scrambling to deploy patches for a software that underlies the majority of organizations around the world.

“These vulnerabilities, especially Log4Shell, are severe,” the agencies warned. “These vulnerabilities are likely to be exploited over an extended period.”

CISA in particular has taken action, with the agency last week putting out an emergency directive ordering federal agencies to immediately investigate and patch against the vulnerability, and creating a team through its Joint Cyber Defense Collaborative to address the issue.

Homeland Security Secretary Alejandro Mayorkas said Tuesday the recently announced Hack DHS bug bounty program would be extended to include incentives for vetted cybersecurity professionals to hunt through some external DHS systems for log4j-related vulnerabilities.

CISA Director Jen Easterly last week underscored the threat from the vulnerability, which may take years to fully patch across all systems.

“CISA estimates that hundreds of millions of devices in use around the world are potentially susceptible to the log4j vulnerability,” Easterly said in a statement provided to The Hill last week. “We know malicious actors are actively exploiting this vulnerability in the wild.”
 
Interesting. My company has all of our document on an electronic document management system and it was down all morning. Hopefully, they were patching things up.
 
The inside joke is it's pronounced log-forge.
I've been wondering when it would be brought up here. I guess we're all pretty busy.
 
The inside joke is it's pronounced log-forge.
I've been wondering when it would be brought up here. I guess we're all pretty busy.
It wasn't bought up here likely because there really isn't anything a consumer can do with or about it: It's not like anyone needs to keep an eye out for a Win10 patch or see if Malwarebytes catches a vulnerability in their Win10 laptop.

Heck, a patch for this thing was issued in extremely short order. The real danger, twofold, is whether or not the systems throughout the world that are affected are going to have that patch **applied** by someone and whether or not binaries or containers or lord-knows-what that may have this logging system embedded in it are also patched.

I downloaded a few scripts to scan my servers for this vulnerability; and Ubuntu is convenient enough that I could use their support application to scan for and fix it were it present. But I just run a humble network of modest web servers. There are innumerable systems out there who may not receive the attention needed to ensure they're "good to go" and I think that's why a lot of analysts are predicting this vulnerability may be with us for a spell.
 
Our time clocks (Kronos/UKG) system was hacked and attacked where I work this week, that may not be exactly the same but. It happened..
 
Nice video explaining the vulnerability

I tend to not like normal tech sites because they don't get into detail on the vulns., and write things that cause security n*zis to run around like decapitated chickens, which then pushes me to make mistakes and take down hosts.

In this case, I have Red Hat saying most of their stuff is not vulnerable because they ship a version too old, while Tenable scans a host and flags it as a "10", claiming you should fix it anyway because it's an old version thus not supported. Back to Red Hat, they say they continue to patch security bugs for older software versions even if the upstream won't, because that's their support model. 10 days later, Red Hat has a patch, for it, but because a different vuln was found. Security only cares about a color on a dashboard: red, or, green.

Oracle's hiding all their work behind a support paywall. Kind of sad because most of the time their writeups are better. I switched companies so don't have a support contract anymore, so I have to rely on non-Oracle writeups.
 
Last edited:
Back
Top