• Latest
  • Trending
Here We Go Again: Second Log4j Flaw Surfaces

Here We Go Again: Second Log4j Flaw Surfaces

December 15, 2021
iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022
AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

May 17, 2022
Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana

Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana

May 17, 2022
Nokia Moves HR Functions to Oracle Fusion Cloud HCM

Nokia Moves HR Functions to Oracle Fusion Cloud HCM

May 17, 2022
Ericsson and Turkcell Perform Turkey’s First 5G Connected Mobile Robot Demo

Ericsson and Turkcell Perform Turkey’s First 5G Connected Mobile Robot Demo

May 17, 2022
Relativity and ENSafrica to Help Expand the African Cloud Capabilities

Relativity and ENSafrica to Help Expand the African Cloud Capabilities

May 17, 2022
MTN Nigeria Adopts LigaData’s Time Machine

MTN Nigeria Adopts LigaData’s Time Machine

May 17, 2022
NVIDIA Certifies NetApp EF600 For DGX SuperPOD

NVIDIA Certifies NetApp EF600 For DGX SuperPOD

May 17, 2022
PNY Announced XLR8 DDR5-6000 MAKO RGB Memory Kits

PNY Announced XLR8 DDR5-6000 MAKO RGB Memory Kits

May 17, 2022
V-Color Manta XPrism RGB SCC DDR5-6200 CL36 2x 16 GB

V-Color Manta XPrism RGB SCC DDR5-6200 CL36 2x 16 GB

May 17, 2022
WD Announces WD Black SN850X and P40 Game Drive

WD Announces WD Black SN850X and P40 Game Drive

May 17, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Tuesday, 17 May, 2022
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Here We Go Again: Second Log4j Flaw Surfaces

by ITECHNEWS
December 15, 2021
in Leading Stories, Opinion
0 0
0
Here We Go Again: Second Log4j Flaw Surfaces

Maybe Log4j vulnerabilities are like rats—for every one that’s visible, multiple others scurry beneath the surface. It’s too early to tell if that’s what will happen with Log4j.

But just a day or so after a damaging vulnerability was disclosed, another has come to light. This time it’s believed to be moderate in severity.

YOU MAY ALSO LIKE

iOS 15.5 arrives ahead of Apple’s annual developer conference

Researchers devise iPhone malware that runs even when device is turned off

“A second vulnerability involving Apache Log4j was found on Tuesday,” according to a MITRE alert. “The description on the new CVE 2021-45046 said the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was ‘incomplete in certain non-default configurations.’”

“When a vulnerability is discovered and makes as much noise as Log4Shell, it invariably signals that there are additional vulnerabilities in the same software or fixes for that software and that triggers additional research and discovery,” said Casey Ellis, founder and CTO at Bugcrowd.

“The technique of abusing JNDI lookups with user-generated data has been around for years,” agreed Davis McCarthy, principal security researcher at Valtix. “With the attention CVE-2021-44228 has received, I wouldn’t be surprised if we saw a third CVE related to Log4j2.”

Ellis pointed out that “in this case, the initial fix provided was developed in a way that mitigated the exploitable symptom, but didn’t properly address the root cause.”

Indeed, Apache said the fix addressing “CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations,” according to the alert. “This could allow attackers with control over thread context map (MDC) input data when the logging configuration uses a non-default pattern layout with either a context lookup (for example, $${ctx:loginId}) or a thread context map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI lookup pattern resulting in a denial-of-service (DOS) attack.”

The alert said, “Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.” But previous mitigations that involve “configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do not mitigate this specific vulnerability,” MITRE warned. “Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).”

Ellis said the situation “also highlights the dangerous dependency open source users have on libraries which power large portions of the Internet but are ultimately written and maintained by unfunded volunteers with limited available time.” He gave credit to “ the Log4j maintainers” who he said likely “had an even busier and more stressful week than those in cybersecurity and are working on fixing and improving Log4j’s resilience as quickly as they can.”

Incomplete fixes are often a result of rushing patches to fix vulnerabilities, noted John Bambenek, principal threat hunter at Netenrich. The solution, he said, “is to disable JNDI functionality entirely (which is the default behavior in the latest version).”

Since “at least a dozen groups are using these vulnerabilities,” immediate action should then be taken “to either patch, remove JNDI or take it out of the classpath—preferably all of the above,” said Bambenek.

Manu Singh, risk engineer at Cowbell Cyber, sees an opportunity to show “a real-life use case where cyberinsurers can step up and help businesses.”

Singh said that Cowbell Cyber notified its policyholders of the vulnerabilities. “And our risk engineering team is available to help,” said Singh. “This is crucial in the small and mid-size market where security and IT resources are limited.”

ShareTweetShare

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022
AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

May 17, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022

Recent News

  • iOS 15.5 arrives ahead of Apple’s annual developer conference May 17, 2022
  • Researchers devise iPhone malware that runs even when device is turned off May 17, 2022
  • AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache May 17, 2022
  • Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana May 17, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version