viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet
Technology

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

10/12/2021

Zeroday in ubiquitous Log4j  tool poses a grave threat to the Internet

Getty Images

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that’s used in countless apps, including those used by large enterprise organizations and also in Java versions of Minecraft, several website reported on last Thursday.

Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on Minecraft servers or clients by manipulating log messages, including from things typed in chat messages. The picture became more dire still as the Log4j was identified as the source of the vulnerability and exploit code was discovered posted online.

A big deal

“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,” HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.”

There already are reports servers performing Internet-wide scans in attempts to locate vulnerable servers.

@GreyNoise is currently seeing 2 unique IP’s scanning the internet for the new Apache Log4j RCE vulnerability (No CVE assigned yet).
A tag to track this activity on https://t.co/QckU3An40q will be made available shortly and linked as a reply when released.

— remy🐀 (@_mattata) December 10, 2021

Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a dizzying number of third-party apps may also be vulnerable to exploits that carry the same high severity as those threatening Minecraft users.

At the time this post went live, there wasn’t much known about the vulnerability. One of the only sources providing a tracking number for the vulnerability was Github, which said it’s CVE-2021-44228. Security firm Cyber Kendra on late Thursday reported a Log4j RCE Zero day being dropped on the Internet and concurred with Moore that “there are currently many popular systems on the market that are affected.”

Advertisement

Cyber Kendra said that in November the Alibaba Cloud security team disclosed a vulnerability in Log4j2—the successor to Log4j—that stemmed from recursive analysis functions, which attackers could exploit by constructing malicious requests that triggered remote code execution. The firm strongly urged people to use the latest version of Log4j2 available here.

The Apache Foundation has yet to disclose the vulnerability, although this page acknowledges the recent fixing of a serious vulnerability. Apache Foundation representatives didn’t respond to an email.

What it means for Minecraft

The Spigot gaming forum said that Minecraft versions 1.8.8 through the most current 1.18 release are all vulnerable, as did other popular game servers such as Wynncraft. Gaming server and news site Hypixel, meanwhile, urged Minecraft players to take extra care.

“The issue can allow remote access to your computer through the servers you log into,” site representatives wrote. “That means any public server you go onto creates a risk of being hacked.”

Reproducing exploits for this vulnerability in Minecraft aren’t straightforward because success depends not only on the Minecraft version running but also the version of the Java framework the Minecraft app is running on top of. It appears that older Java versions have fewer built-in security protections that make exploits easier.

Spigot and other sources have said that adding the JVM flag -Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most Java versions. Spigot and many other services have already inserted the flag into the games they make available to users.

To add the flag users should go to their launcher, open the installations tab, select the installation in use and click “…” > “Edit” > “MORE OPTIONS”, and paste -Dlog4j2.formatMsgNoLookups=true at the end of the JVM flags.

For the time being, people should pay close attention to this vulnerability and its potential to trigger high-impact attacks against a wide variety of apps and services. For Minecraft users, that means steering clear of unknown servers or untrustworthy users. For users of open-source software, it means checking to see if it relies on Log4j or Log4j2 for logging. This is a breaking story. Updates will follow if more information becomes available.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

NYU study: Facebook’s content moderation efforts are ‘grossly inadequate’
In a scathing indictment of Facebook’s content moderation strategy, a …

NYU study: Facebook’s content moderation efforts are ‘grossly inadequate’

Fast & Furious: Crossroads lives video games a quarter-mile at a time
TechCrunch ist jetzt Teil der Verizon Media-Familie. Wir (Verizon Media) …

Grab and Singtel team up to apply for a digital full bank license in Singapore

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • 15 best CBD oils you can buy
    15 best CBD oils you can buy
    21/03/2020
  • Black Friday PlayStation 5 and Xbox Series X gift guide
    Black Friday PlayStation 5 and Xbox Series …
    24/11/2020
  • Twitter labels deepfake video shared by Trump aide as ‘manipulated media’
    Twitter labels deepfake video shared by Trump …
    31/08/2020
  • Gamescom 2020 likely doomed as Germany limits large gatherings through August
    Gamescom 2020 likely doomed as Germany limits …
    15/04/2020
  • CleverTap celebrates International Women’s Day with video series ‘Inspiring Women’
    CleverTap celebrates International Women’s Day with video …
    08/03/2020

Popular Posts

  • 10 Movies That Totally Changed Course Midway …
    06/08/2022 0
  • 10 Movie Robots Who Would Pass the …
    09/07/2022 0
  • 10 Fascinating Things You Might Not Know …
    10/07/2022 0
  • Ten Eerie Unsolved Murders of Everyday Women …
    10/07/2022 0
  • 10 Photographs That Will Trigger the Megalophobic …
    11/07/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh