This isn’t the type of gift that sysadmins want. But news has come to light that a third Log4j vulnerability has been discovered, this time for a DoS bug. The latest Log4j bug isn’t a variant of the Log4Shell remote-code execution bug but has the same components and can also abuse the attacker-controlled lookups in logged data.
Yikes!
Ayal Yogev, CEO and Cofounder, Anjuna Security had this to say:
“The Log4Shell bug, as were seeing with other common vulnerabilities such as CVE-2021-45105, is used to execute privileged malicious code that immediately puts entire enterprise IT infrastructures at risk. Stopping the spread is possible using widely available confidential computing facilities available in the cloud and on hosts. These physically and cryptographically isolate an application’s memory, compute and storage from others on a given host stopping the spread at its point of infection.”
Honestly, if you haven’t patched Log4j yet in your environment, you need to get cracking. Because I suspect that more issues will be found with Log4j seeing as everyone and their dog is looking for them.
Like this:
Like Loading...
Related
This entry was posted on December 20, 2021 at 5:23 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Log4j…. The Gift That Keeps On Giving
This isn’t the type of gift that sysadmins want. But news has come to light that a third Log4j vulnerability has been discovered, this time for a DoS bug. The latest Log4j bug isn’t a variant of the Log4Shell remote-code execution bug but has the same components and can also abuse the attacker-controlled lookups in logged data.
Yikes!
Ayal Yogev, CEO and Cofounder, Anjuna Security had this to say:
“The Log4Shell bug, as were seeing with other common vulnerabilities such as CVE-2021-45105, is used to execute privileged malicious code that immediately puts entire enterprise IT infrastructures at risk. Stopping the spread is possible using widely available confidential computing facilities available in the cloud and on hosts. These physically and cryptographically isolate an application’s memory, compute and storage from others on a given host stopping the spread at its point of infection.”
Honestly, if you haven’t patched Log4j yet in your environment, you need to get cracking. Because I suspect that more issues will be found with Log4j seeing as everyone and their dog is looking for them.
Share this:
Like this:
Related
This entry was posted on December 20, 2021 at 5:23 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.