As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

2021-12-15 23:31

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.

It's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021.

Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.

CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories - from Amazon cloud services to VMware tools.

"CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.

CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/15/log4j_latest_cisa/

#china #cisa #iran #log4j #US #CVE-2021-44228

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2021-12-10	CVE-2021-44228	Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical	10.0

News URL

Related news

Related Vulnerability