Dealing with log4shell will be a marathon,” Ullrich said. “Log4Shell will continue to haunt us for years to come. Part of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said Johannes Ullrich, an incident handler and blogger for the SANS Internet Storm Center. “Check with all the vendors in your enterprise to see if they are impacted and what patches are available.” “If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability,” said Dustin Childs of Trend Micro’s Zero Day Initiative. An extensive list of responses from impacted organizations has been compiled here.” We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
“Anybody using Apache Struts is likely vulnerable. “Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” Lunasec wrote. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.Īccording to researchers at Lunasec, many, many services are vulnerable to this exploit. 9 in the popular logging library for Java called “ log4j,” which is included in a huge number of Java applications. Log4Shell is the name picked for a critical flaw disclosed Dec.
#DECEMBER 7 CRITICAL OPS HACK PATCH#
But this month’s Patch Tuesday is overshadowed by the “ Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. Microsoft, Adobe, and Google all issued security updates to their products today.