Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Technology

CISA Tells Federal Agencies To Patch Log4Shell Before Christmas (therecord.media) 57

The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve. From a report: The agency has added yesterday the Log4Shell bug (CVE-2021-44228) to its catalog of actively-exploited vulnerabilities, along with 12 other security flaws. According to this catalog, federal agencies have ten days at their disposal to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers. All of this must be done by December 24, according to a timeline provided in the catalog. In addition, CISA has also launched yesterday a dedicated web page providing guidance to the US public and private sector regarding the Log4Shell vulnerability.
This discussion has been archived. No new comments can be posted.

CISA Tells Federal Agencies To Patch Log4Shell Before Christmas

Comments Filter:
  • Comment removed based on user account deletion
  • I'm just wondering if corporates get a pass while open source gets the microscope. Anyone know the specifics?
    • by splutty ( 43475 )

      You're making a comment that makes no sense whatsoever, and then ask for specifics? That'll be... Hard.. :D

    • Open source is also corporate.

      Your word of the day is proprietary. Please study it carefully.

      • No. Open source can be sponsored by corporate entities, but nothing about open source is inherently corporate. Your word for the day is dictionary read it with zeal.
        • So Oracle/MySQL, Red Hat, Canonical, SUSE are not corporate entities?
          • Of course they are corporate entities, genius. They just aren't (by a damn sight) the only ones involved with Open Source. See, that's the "open" part that you're willfully ignoring. Is it easy for you to just ignore the fact that OEL, RHEL, Ubuntu, and SuSE come from Debian and Fedora which are both non-profit organizations which use a mix of private volunteers and commercial actors? Thousands of volunteers who write open source don't care if you think "Open Source" has somehow been subsumed by corporate a
            • SuSE comes from OpenSuSE, too. Literally none F.Ultra's examples do anything but torpedo his point.
              • No they are all 100% valid until you decided to shift goalposts at which point MySQL remained. But if you want I have other examples as well, the company that I work for releases all our sources licensed under GPLv3 but we control the source 100%.
                • That does ZERO to prove your original point, idiot. The fact that some companies participate in Open Source does not mean open source "is corporate" (which was your original brain dead assertion). It's like saying the color red "is corporate" because Target uses it. It's not. Not only that, but MySQL started off completely as an non-corporate open source project. So you don't even know your history, you fucking troll. I bet you don't even code and you are just talking about shit you have no idea about. Stop
                  • Not sure why you are so damn angry and aggressive? Zero people have claimed that Open Source "is corporate" OP pointed out that there exists corporate Open Source and I agreed with that sentiment by giving you examples of such cases. MySQL was "corporate" back in the Monty days (he made money by selling a non GPL-licensed version to companies wanting to link to MySQL from proprietary applications), but it became Corporate when SUN bought all assets from Monty.

                    Oracle does not "participate" in MySQL, they own

                    • I guess if you can't read your own post or see when I quote you directly to prove you totally did say "Open Source is also corporate" there isn't much hope for you. Sure. You totally didn't say what you totally did and anyone can read just a few posts earlier. Bro, that's beautiful. You should go into politics or maybe finally start coding so you'd understand what you are actually bullshitting about.
                    • You mean the post by "Aighearach" another complete different user that is not me? Yes everyone can totally read that, but you didn't now did you or you would have seen that you replied to the wrong person.
                    • Do you mean the the same argument you've been making the whole time? Yeah, that one. Do you have any actual point ? Can you just state it clearly so we can see if you are truly just being misunderstood or if you are utterly full of shit like you mostly seem?
                    • I just pointed out that you made a mistake when you talked about what I did write. But yes of course there can be corporate owned open source, I work on such code personally.
                    • Is that your actual point? How fucking lame. "There can be corporate owned open source" Well, howdy dooty there, genius! You've stumbled onto a fact!
                    • And I never tried to do anything else, but you played the age of silly game of "no there isn't" and suddenly there where a whole thread of us two going back and forth.
            • The context wasn't that they where the only ones contributing to the software, it was weather or not there existed corporate open source, which there does considering my list. Also good luck getting a patch into MySQL that is will not first be vetted by Oracle.
  • by backslashdot ( 95548 ) on Tuesday December 14, 2021 @01:55PM (#62079871)

    This is like the jab, but for servers. No thanks. My server already has performance issues due to all the WiFi antennas nearby. I have been supplying it with DC current that has been proven to boost memory allocations.

    • If you carefully wrap the case in tin foil that will protect it from both wifi and even 5G.

      But adhesive-backed tin foil can be hard to find. So I recommend instead using copper foil. It is sold online as guitar shielding tape. Surely your server is as important as some hippie's guitar, right?

  • Does this affect log4net, the .NET C# clone of log4j? There are .NET C# running on Unix systems so I'd assume so.

    • Depends on if that fork supports the decoding of ${a:b} sequences in the logs or not.
    • Does this affect log4net, the .NET C# clone of log4j?

      No, deserializing an object from a remote server and then executing it is only a Java thing. In .NET/C# the deserialization only works on the data, not the code.

      • by kriston ( 7886 )

        Wow, deserializing a randomly-obtained object in Java executes it? That's seriously bad.

    • by kriston ( 7886 )

      Not sure why this modded down. Has Slashdot become as bad as Reddit?

  • Boss just called again [slashdot.org]. Says we can now no longer trust the Internet and we have 24 hours to pull all the network cables and burn all the routers and switches. Have a Zoom call with SpaceX this afternoon to inquire about nuking the data center from orbit.
    • I have been telling people, do not install patches. Patches have side effects that can cause your server to behave erratically. What has really been proven to work is detoxifying your tmp directory and adding aliases to your shell config file. Just download and install detoxr_rootkit.sh from its website in Romania. Trust me I detoxed my tmp directory and immediately saw my server improve 10x while a bunch of previously blocked ports were opened up. A guy on YouTube found that aliasing ls to rm * cleared up

    • to inquire about nuking the data center from orbit.

      It's the only way to be sure.

    • Sounds like your boss does so much cocaine maybe you should just route all your traffic through freenode

  • I work for {$multinational corporation} and we patched it last weekend, in literally hundreds of separate applications. WTF?
  • Most government test plans take weeks to execute. And everyone's going on vacation or already are gone.

    Do they mean 12/24/2022?

  • The log4j vulnerability is bad, sure, no question. I'm sure it seemed a great idea at the time to be able to fetch external information to dynamically add to your logging messages (*not*).

    However, let us not forget that - in order to be exploited - the server also has to be running a version of Java from 2018 or earlier. So any vulnerable servers are way, way behind on their security updates. As usual, it's not just the vulnerability, It is also incompetent or lazy sysadmins.

    • I don't think you understand the magnitude of testing that goes on in safety-critical government systems. The system I worked on performed a technology upgrade about once every eight years. The tech upgrade was usually rolled out in one of their smaller software releases and it went through an insane amount of testing to guarantee that it didn't degrade the functionality, performance, or security of the system. The main justification for this process was that they couldn't afford to have a safety-critica
  • There are already utilities in open source that can scan servers for log4j vulnerability. Someone in a government cyber agency could crank up a couple of instances and scan the government servers to get a list. The fix is easy, so just get the right people by the scruff of the neck and make them do it immediately.
  • I already have at least 20 scans for this vulnerability in my web-server logs over the last 3 days. (No log4j or any other Java crap on my servers...)
    Anybody that has not already patched this is criminally negligent.

Where there's a will, there's an Inheritance Tax.

Working...