The Log4Shell flaw has website administrators rushing to patch their servers, even as criminals step up their attacks
A second flaw was found in the same logging utility that could crash websites, and the utility's developers rushed to release a patch that fixes both flaws
The new flaw, cataloged as CVE-2021-45046 but without a catchy name, exploits the same functionality as Log4Shell, known as CVE-2021-44228 [An attacker can cause a denial of service, or crash, with Log4j, the same utility exploited by Log4Shell This can cause a denial of service, ie, a crash, in Log4j, the same utility that is exploited by Log4Shell
The initial patch to stop Log4Shell, version 2150 of Log4j, does not stop this new attack Therefore, the Apache Software Foundation, which maintains Log4j, released version 2160 of Log4j yesterday (December 13)
The Log4j crash will probably not lead to the same devastating effects as Log4Shell The previous flaw allows an attacker to slip malicious code into the web server containing Log4j somewhere in its software and steal sensitive information from it
This new flaw might take the web server offline, which is annoying and could be expensive if business transactions are halted, but most likely will not lead to permanent damage
The number of web servers affected by Log4Shell is likely in the hundreds of thousands, if not millions, and all versions of the Java execution environment are affected The only permanent solution is to update Log4j
The Dutch National Cyber Security Center has a list of enterprise software that is believed to be vulnerable to Log4Shell, including software that has been found not to be vulnerable
Among the well-known companies on the list are Amazon, Broadcom, Cisco, Citrix, Dell, HPE, Huawei, IBM, McAfee, Microsoft, Netflix, Oracle, Red Hat, Siemens, Trend Micro are included
As detailed in a previous article, most Windows PCs, Macs, and mobile devices are not vulnerable to attacks using Log4Shell unless the device is running a Java Runtime Environment (This was not addressed in Microsoft's December Patch Tuesday update)
Gamers running Minecraft Java Edition, which of course runs Java, got a patch for Minecraft last week Yesterday, Bitdefender reported that it had witnessed two campaigns to plant ransomware and remote access Trojans on Windows machines with Java installed [However, neither Windows nor macOS have Java installed; Linux desktops are more vulnerable because many of them have Java; Ubuntu has already released a patch to fix Log4Shell, and other Linux distributions have probably done so as well
However, because of the sheer volume of financial and personal data held on web-facing servers, including credit card and banking information, e-mail messages, login credentials, photos, and other personal information, the risk of data breach, identity theft, credit card theft, account takeover, etc, is perhaps higher than ever before
Similarly, criminals may use Log4Shell to deface websites, distribute malware, or use it in phishing attacks to steal personal information
Now is a great time to start using the best password managers, install the best anti-virus software, freeze your credit files, and check your credit reports
Comments