Log4j Vulnerability - What do you need to know?



Show first post

32 comments

Userlevel 3

:warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:

Nearly full list of whats vendor/products are affected:

https://github.com/NCSC-NL/log4shell/tree/main/software

 :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:

grazie Signore

Userlevel 7
Badge +20

Unfortunately, there’s a new second CVE that’s need a new patch.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Yes, log4j 2.16.0 is needed now. And who knows if this is the last issue :sunglasses:

Unfortunately this is getting worse. At first there was concern this would result in Denial of Service attacks, now the CVE severity is expected to be increased from 3.7 to around 9 as limited Remote Code Execution (RCE) has been discovered.

Userlevel 7
Badge +11

Great post @MicoolPaul ! It has been a hell of a week regarding this issue, to mitigate the infrastructure of the customers...

Userlevel 7
Badge +13

Not sure if helpful, but INE posted this video about how log4j is exploited and how can be mitigated (double patch, the only first still permit DOS)

 

Userlevel 7
Badge +20

Thanks for sharing @marcofabbri, the more people know; the better they can apply the right mitigations.

 

Upon further review the second patch can cause DOS and RCE, but RCE so far has only been proven via macOS it seems.

Userlevel 7
Badge +13

VMware started to offer fixes for their VDI products:

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

They also updated their workaround KB-article for the new finding, @MicoolPaul mentioned:

https://kb.vmware.com/s/article/87081. There is a new script to remove Java classes.

Userlevel 7
Badge +13

If interested: Here is a list of all HPE products NOT affected:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us

Here is a list of all affected HPE products and versions:

https://support.hpe.com/hpesc/public/docDisplay?nlaid=HPGL_ALERTS_3009925&docId=emr_na-hpesbgn04215en_us

Comment