nternet faces greater risk as 2nd serious bug found, patch released


New Delhi, Dec 15 (IANS): As the Internet faces one of the most serious vulnerabilities in recent years putting millions of devices at hacking risk, attackers are now making thousands of attempts to exploit a second vulnerability involving a Java logging system called 'Apache log4j2'.

The description of the new vulnerability, titled 'CVE 2021-45046', says the fix to address the earlier security bug (CVE-2021-44228) in 'Apache Log4j 2.15.0' was "incomplete in certain non-default configurations".

"It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

"This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description read.

Several popular services, including Apple iCloud, Amazon, Twitter, Cloudflare and Minecraft, are vulnerable to the 'ubiquitous' zero-day exploit.

Apache has now released a new security patch to address the second bug.

'Apache Log4j' is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services.

It is the most popular java logging library with over 400,000 downloads from its GitHub project. It is used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.

"Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks," cyber security researchers at Check Point had said in a blog post.

Another cyber security company Sophos said that it is already detecting malicious cryptominer operations attempting to leverage the vulnerability, and there are credible reports from other sources that several automated botnets (such as Mirai, Tsunami, and Kinsing) have begun to exploit it as well.

At present, most of the attacks focus on the use of cryptocurrency mining at the expense of the victims. However, under the auspices of the noise, more advanced attackers may act aggressively against quality targets.

Researchers at Microsoft have also warned about attacks attempting to take advantage of 'Log4j' vulnerabilities, including a range of crypto-mining malware.

 

  

Top Stories


Leave a Comment

Title: nternet faces greater risk as 2nd serious bug found, patch released



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.