Connect with us

Tech

Apache Log4j Zero Day Exploit Puts Large Number of Servers at Severe Risk | eSecurityPlanet – eSecurity Planet

Published

 on


A critical vulnerability in the open-source logging software Apache Log4j 2 is fueling a chaotic race in the cybersecurity world, with the Apache Software Foundation (ASF) issuing an emergency security update as bad actors searched for vulnerable servers.

Log4j 2, developed by the ASF, is a widely used Java package that enables logging in an array of popular applications. The bug, tracked as CVE-2021-44228, is a zero-day vulnerability that allows unauthenticated remote code execution (RCE) that could give attacks control of the systems the software is running in.

The vulnerability – which has been dubbed Log4Shell – has been given a severity score of 10/10, the highest score possible. The Apache Foundation released an emergency patch as part of the 2.15.0 release of Log4j 2 that fixes the RCE vulnerability.

The Broad Reach of Log4j

The software is used by both enterprise applications as well as cloud-based services, and the vulnerability could have wide effects on enterprises, according to security professionals. Log4Shell reportedly also can impact the default configurations of several Apache frameworks, such as Apache Struts2, Apache Druid and Apache Flink.

‘Given how ubiquitous this library is … the impact of this vulnerability is quite severe’

“Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe,” Free Wortley, CEO of cybersecurity firm LunaSec, and Chris Thompson, a developer at the company, wrote in a blog post. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.”

They wrote that many services are vulnerable to the exploit, including cloud services like Apple iCloud and Steam and applications like Minecraft. Open-source projects like Paper, the server used by Minecraft, have begun patching Log4j 2. Servers used by such name companies as Twitter, Cloudflare, Apple and Tencent also have been found to be vulnerable to Log4Shell.

A number of other open-source projects, such as ElasticSearch, Redis and Elastic Logstash, reportedly also use Log4j.

The Log4Shell vulnerability comes months after open-source security was a central topic of discussion at this year’s Black Hat conference.

Also read: Top Vulnerability Management Tools for 2021

Enterprises Urged to Apply the Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging users to apply the patch to upgrade the software or to use the mitigation steps recommended by the ASF.

The RCE vulnerability – which initially was discovered by the Alibaba Cloud Security Team late last month – affects Log4j versions 2.0-beta9 to 2.14.1. According to LunaSec, Log4Shell can be exploited on vulnerable servers when data from the user is sent to the server using any protocol. The server then logs the data in the request that contains the malicious payload and the Log4j vulnerability is triggered by the payload.

The server makes a request to attacker.com through the Java Naming and Directory Interface (JNDI) and the response contains a path to a remote Java class file, which is injected into the server process. The injected payload triggers a second stage and then allows an attacker to execute arbitrary code.

Tweet Fuels Rush by Good Guys, Bad Actors

The flurry of activity around Log4Shell was kicked off on Thursday when it was disclosed on Twitter in a tweet that included a proof-of-concept (PoC) code.

‘It’s going to be a long weekend for a lot of people’

“This is a worst-case scenario,” Casey Ellis, founder and CTO at crowdsourced security vendor Bugcrowd, told eSecurity Planet, noting the “combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet. It’s going to be a long weekend for a lot of people.”

The Logj4 tweet

Also read: Best Patch Management Software for 2021

Attackers Seeking Servers

A number of organizations, including computer emergency response teams (CERTs) for Deutsche Telekom and New Zealand, said they have seen attackers seeking servers that are vulnerable to Log4Shell. Deutsche Telekom officials said in a tweet that they “are observing attacks in our honeypot infrastructure coming from the TOR network.”

In a similar tweet, security firm GreyNoise reported that it “is currently seeing 2 unique IP’s scanning the internet for the new Apache Log4j RCE vulnerability…”

“RCE vulnerabilities on webservers represent the most serious of issues,” John Bambenek, principal threat hunter at cybersecurity company Netenrich, told eSecurity Planet. “With PoC code already released, we will likely start seeing exploitation by the end of today. As webapps running this kind of setup typically would process sensitive information, the mitigations in question should be applied immediately, which includes updating Java.”

He added that web application firewalls should also be updated to include an appropriate rule to block such attacks.

Vulnerability Tested

Researchers with cybersecurity company Randori’s Attack Team wrote in a blog post that they developed a working exploit and successfully leveraged the Log4j vulnerability in customer environments as part of the vendor’s offensive security platform.

“The vulnerability is reachable via a multitude of application-specific methods,” they wrote. “Effectively, any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation. This vulnerability is highly likely to be exploited in the wild and is likely to impact thousands of organizations. This vulnerability poses a significant real-world risk to affected systems.”

More Vulnerable Products Expected

That said, assessing long-term effects of Log4Shell isn’t easy, the Randori researchers wrote. However, the immediate impacts will be felt.

“The Log4j 2 library is very frequently used in enterprise Java software,” they wrote. “Due to this deployment methodology, the impact is difficult to quantify. Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately.”

Dor Dali, director of information security at cybersecurity vendor Vulcan Cyber, told eSecurity Planet that he would put it in the top-three worst vulnerabilities that have arisen this year.

“It wouldn’t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,” Dali said. “Connecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren’t taken right away. The Log4j vulnerability is relatively easy to exploit and we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world.”

Further reading: Best Risk Management Software for 2021

Adblock test (Why?)



Source link

Continue Reading

Tech

Photos of Samsung Galaxy A53 5G's components confirm four rear cameras, one selfie – GSMArena.com news – GSMArena.com

Published

 on


The Samsung Galaxy A53 5G will reuse the bump design of the A52 trio for the quad camera on its back. This was seen in speculative renders from last year, but now we have real-world confirmation as well from spy photos of A53 5G’s frame and rear panel that were shared by 91Mobilies.

The panel appears black, though this could be prior to painting. Either way, black is one of the rumored color options for this model, alongside white, light blue and orange. This same color palette will be used for other Ax3 phones as well, including the Galaxy A13 and A33 5G.


Samsung Galaxy A53 5G rear panel and mid-frame
Samsung Galaxy A53 5G rear panel and mid-frame
Samsung Galaxy A53 5G rear panel and mid-frame

Samsung Galaxy A53 5G rear panel and mid-frame

As for the cameras, it will indeed have four modules, despite TENAA listing only three. The main camera is expected to have the same 64 MP resolution as the A52 models, but the ultra wide may be getting an upgrade to 32 MP (up from 12 MP).

We wouldn’t put too much stock in the TENAA specs, though, they also listed two selfie cameras, and we haven’t seen any evidence of that, not even in TENAA’s own photos of the phone. And if you look at the photo of the phone’s mid-frame, there is only one centered punch hole for a selfie camera.

Samsung Galaxy A53 5G (speculative renders)
Samsung Galaxy A53 5G (speculative renders)
Samsung Galaxy A53 5G (speculative renders)

Samsung Galaxy A53 5G speculative renders (image credit)

The Samsung Galaxy A53 5G will use two different chipsets, one of which is expected to be the Exynos 1200. Note that there isn’t going to be an A53 4G, the two different chips will both power 5G units. Other than that, they should share the same hardware.

The A53 is expected to be announced in the first quarter of this year, likely alongside other Ax3 models.

Source

Adblock test (Why?)



Source link

Continue Reading

Tech

Xbox boss wants to revive old Activision Blizzard games – Rock Paper Shotgun

Published

 on


Of the many possibilities that Microsoft buying Activision Blizzard might enable, only one seems really clear: that Microsoft will put Actiblizz games on Game Pass. Beyond that, it’s all mights and maybes. Here’s another maybe: Microsoft Gaming CEO Phil Spencer says they’re hoping to dig into Actiblizz’s “franchises that I love from my childhood,” raising the likes of Hexen and King’s Quest. What better use for $69 billion than wallowing in nostalgia?

(more…)

Continue Reading

Tech

Meta researchers build an AI that learns equally well from visual, written or spoken materials – TechCrunch

Published

 on


Advances in the AI realm are constantly coming out, but they tend to be limited to a single domain: For instance, a cool new method for producing synthetic speech isn’t also a way to recognize expressions on human faces. Meta (AKA Facebook) researchers are working on something a little more versatile: an AI that can learn capably on its own whether it does so in spoken, written or visual materials.

The traditional way of training an AI model to correctly interpret something is to give it lots and lots (like millions) of labeled examples. A picture of a cat with the cat part labeled, a conversation with the speakers and words transcribed, etc. But that approach is no longer in vogue as researchers found that it was no longer feasible to manually create databases of the sizes needed to train next-gen AIs. Who wants to label 50 million cat pictures? Okay, a few people probably — but who wants to label 50 million pictures of common fruits and vegetables?

Currently some of the most promising AI systems are what are called self-supervised: models that can work from large quantities of unlabeled data, like books or video of people interacting, and build their own structured understanding of what the rules are of the system. For instance, by reading a thousand books it will learn the relative positions of words and ideas about grammatical structure without anyone telling it what objects or articles or commas are — it got it by drawing inferences from lots of examples.

This feels intuitively more like how people learn, which is part of why researchers like it. But the models still tend to be single-modal, and all the work you do to set up a semi-supervised learning system for speech recognition won’t apply at all to image analysis — they’re simply too different. That’s where Facebook/Meta’s latest research, the catchily named data2vec, comes in.

The idea for data2vec was to build an AI framework that would learn in a more abstract way, meaning that starting from scratch, you could give it books to read or images to scan or speech to sound out, and after a bit of training it would learn any of those things. It’s a bit like starting with a single seed, but depending on what plant food you give it, it grows into an daffodil, pansy or tulip.

Testing data2vec after letting it train on various data corpi showed that it was competitive with and even outperformed similarly sized dedicated models for that modality. (That is to say, if the models are all limited to being 100 megabytes, data2vec did better — specialized models would probably still outperform it as they grow.)

“The core idea of this approach is to learn more generally: AI should be able to learn to do many different tasks, including those that are entirely unfamiliar,” wrote the team in a blog post. “We also hope data2vec will bring us closer to a world where computers need very little labeled data in order to accomplish tasks.”

“People experience the world through a combination of sight, sound and words, and systems like this could one day understand the world the way we do,” commented CEO Mark Zuckerberg on the research.

This is still early stage research, so don’t expect the fabled “general AI” to emerge all of a sudden — but having an AI that has a generalized learning structure that works with a variety of domains and data types seems like a better, more elegant solution than the fragmented set of micro-intelligences we get by with today.

The code for data2vec is open source; it and some pretrained models are available here.

Adblock test (Why?)



Source link

Continue Reading

Trending