Tag Archive for: Java

New zero-day exploit for Log4j Java library is an enterprise nightmare

/in


New zero-day exploit for Log4j Java library is an enterprise nightmare

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to ongoing remote code execution attacks.

Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

Thus, while home users might have moved away from Java (although popular games like Minecraft still use it), anything from enterprise software to web apps and products from Apple, Amazon, Cloudflare, Twitter, and Steam is likely vulnerable to RCE exploits targeting this vulnerability.

Ongoing scans, exploitation of vulnerable systems

The bug, now tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam, is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.

It was reported by Alibaba Cloud’s security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

After the first proof-of-concept exploit was published on GitHub yesterday, threat actors began scanning the Internet [12] for systems vulnerable to this remotely exploitable security flaw that doesn’t require authentication.

Additionally, CERT NZ (New Zealand’s national Computer Emergency Response Team) has issued a security advisory warning of active exploitation in the wild (also confirmed by Coalition Director Of Engineering – Security Tiago Henriques and security expert Kevin Beaumont).

Nextron Systems’ Head of Research Florian Roth has shared a set of YARA rules for detecting CVE-2021-44228 exploitation attempts.

Patch and mitigation available

Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021-44228…

Source…

Former NSA Hacker Reveals 5 Ways To Protect Yourself Online

/in

Waratek upgrades Java protection

/in

Waratek is introducing a feature to its Java-protection platform that enables upgrading to the current version of Java without having to install Java updates or touch the apps running within the Java virtual machine.

The latest version of its AppSecurity for Java uses secure virtual containers around the entire Java application stack to apply the security and performance features of the current Java 8 platform’s security and performance levels without having to install Java 8, the company says.

The alternative would be to replace the Java Runtime Environment (JRE) and upgrade the application code directly. That would involve taking the application offline while the upgrades are performed.

To read this article in full or to leave a comment, please click here

Network World Tim Greene

Critical Java bug found in PayPal servers

/in

The deserialization vulnerability, now fixed, could have let attackers plant malicious code and backdoors on PayPal Manager.
Naked Security – Sophos