What's this Log4Shell vulnerability about? Spoke to my son who works in IT in the city and calamitous apparently.
https://www.wired.com/story/log4j-fl...king-internet/
https://www.wired.com/story/log4j-fl...king-internet/
-
bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson) -
Yeah I read that earlier today.
I expected someone else to start a thread."You’re just a bad memory who doesn’t know when to go away" JR -
Basically, Log4j is an Apache package (written in Java) which does logging. A lot of recent versions have a vulnerability (CVE-2021-44228, aka Log4Shell) which allows RCE (Remote Code Execution). Basically, if you send a particular string to the website, you can launch code; you can do that from the login screen, so this attack doesn't require authentication. It has a base CVSS v3 score of 10, which is the highest possible score.
The good news is that Log4j has a new version out which fixes the problem, so you just need to install the patch.
The bad news is that you wouldn't install something like this directly; it will be a module buried inside another application. E.g. VMware have put out a security advisory with a list of all their affected products:
VMSA-2021-0028.1 (vmware.com)
At the time of posting, there's no fixed version for any of them, but they've given workaround instructions for some of the products.
Some people have argued that this demonstrates the need for SBOM (Software Build Of Materials). The idea is that each application would include a list of all the modules etc. that it uses, then you can search through the list in a situation like this rather than having to hunt around all the vendors websites. However, there's still an argument for testing each device/website to check whether it's affected.Comment
Comment