In Case You Missed It: Log4j’s Holiday Week
Fifth Patch Released:
Log4j continues to make news during the final week of 2021, as Apache issues the fifth patch, 2.17.1, since the initial vulnerability was uncovered earlier this month.
This patch fixes CVE-2021-44832, an arbitrary code execution flaw, which could be used by threat actors to run malicious code.
Per the CVE description: “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.”
Joint Guidance Issued:
Federal law enforcement agencies from the US, Australia, Canada, New Zealand, and the United Kingdom issued a joint statement on the log4j vulnerabilities.
The notice includes CISA’s previously issued guidance, with steps including:
Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.
Consequences from the Chinese Government:
Bloomberg News reported that the vulnerability was initially found by an Alibaba software developer in late November and reported to Apache.
The developer’s organization, Alibaba Cloud, has been suspended from an information sharing partnership by regulators for six months for reporting the issue to Apache prior to reporting it to the Chinese Ministry of Industry and Information Technology, according to reports from ZDNet.
Cyber Experts Offer Insights on the Future of Log4j:
CEO and Founder of Check Point Software Technologies Gil Shwed appeared on CNBC to explain the impact of this vulnerability.
“What makes it very dangerous is that it’s very infectious,” Shwed said in the interview. He stated that the cybersecurity industry’s response has been very good, however, the shrewdness and skill of the hackers has improved so much in recent years. There are about 60 variants of this vulnerability, Shwed said.