1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: What no atW/SE DOOM thread yet?

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "What no atW/SE DOOM thread yet?"

Collapse
  • hobnob
    replied
    Basically, Log4j is an Apache package (written in Java) which does logging. A lot of recent versions have a vulnerability (CVE-2021-44228, aka Log4Shell) which allows RCE (Remote Code Execution). Basically, if you send a particular string to the website, you can launch code; you can do that from the login screen, so this attack doesn't require authentication. It has a base CVSS v3 score of 10, which is the highest possible score.

    The good news is that Log4j has a new version out which fixes the problem, so you just need to install the patch.

    The bad news is that you wouldn't install something like this directly; it will be a module buried inside another application. E.g. VMware have put out a security advisory with a list of all their affected products:
    VMSA-2021-0028.1 (vmware.com)
    At the time of posting, there's no fixed version for any of them, but they've given workaround instructions for some of the products.

    Some people have argued that this demonstrates the need for SBOM (Software Build Of Materials). The idea is that each application would include a list of all the modules etc. that it uses, then you can search through the list in a situation like this rather than having to hunt around all the vendors websites. However, there's still an argument for testing each device/website to check whether it's affected.

    Leave a comment:

  • SueEllen
    replied
    Yeah I read that earlier today.

    I expected someone else to start a thread.

    Leave a comment:

  • xoggoth
    started a topic What no atW/SE DOOM thread yet?

    What no atW/SE DOOM thread yet?

    What's this Log4Shell vulnerability about? Spoke to my son who works in IT in the city and calamitous apparently.

    https://www.wired.com/story/log4j-fl...king-internet/
    Tags: None

Advertisers

  1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
Working...
X