Security News > 2021 > December > As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
2021-12-15 23:31

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.

It's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021.

Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.

CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories - from Amazon cloud services to VMware tools.

"CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.

CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/15/log4j_latest_cisa/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0