Displaying items by tag: log4shell
Amazon’s Awkward Moment as Log4J Fix has an Escalation and Escape Bug
It seems that Amazon’s hotfix for Log4Shell in their AWS environment might have been a bit rushed. According to a review of the hot there are a total of four CVEs specifically related to the hotfix and how it functions. CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 have a CVSS score of 8.8 and allow for privilege escalation and container escape. It is not often that a fix for one bad bug contains a potentially worse one, but here we are.
IAG Prophet Spider Targeting VMWare Horizon Servers Via Log4J Vulnerability
A shell for me, a shell for you, a shell for everybody in the room. If you have not heard about Log4J and the associated vulnerabilities in versions between 2.0 and 2.16 you might have not been near a computer in quite a while. This Remote Code Execution vulnerability that has several CVEs (common vulnerabilities and exploits) associated with it is commonly lumped into the term Log4Shell. Log4J itself is a Java based Apache logging framework that is in widespread usage in many applications. The list of impacted applications is not, and may never be, known. Many vendors have release complex mitigation steps and patches, but many devices are not getting patched (nothing surprising here). This has allowed this vulnerability to become quickly weaponized and used in targeted attacks.
White House Issues Memo to NSA and DoD to Improve Security
It is no secret that the NSA and DoD (Department of Defense) and other Government agencies have an issue with security. Over the last few years their security has been about as effect as using a sieve to carry water. The top 10 list of security faux paus include such wonders as the Snowden leak and the OPM breach. However, when I see the White House (any administration) send out memorandums telling Government agencies to tighten up security I laugh a bit.