Security News > 2021 > December > As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.
It's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021.
Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.
CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories - from Amazon cloud services to VMware tools.
"CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.
CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/12/15/log4j_latest_cisa/
Related news
- China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets (source)
- Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks (source)
- China, Russia, Iran, and North Korea Intelligence Sharing (source)
- FCC stands up Council on National Security to fight China in ways that CISA used to (source)
- China’s FamousSparrow flies back into action, breaches US org after years off the radar (source)
- Ex-Meta exec tells Senate Zuck dangled US citizen data in bid to enter China (source)
- China reportedly admitted directing cyberattacks on US infrastructure (source)
- China names alleged US snoops over Asian Winter Games attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity siemens apache intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |