Connect with us

Tech

It could take years for applications using vulnerable version of Java log4j library to be patched, says expert – IT World Canada

Published

 on


Infosec leaders around the world are being urged to heed warnings from national computer emergency teams, software suppliers and cybersecurity experts about a critical logging-related vulnerability in Apache, Apple iCloud and other business applications. Managed service providers are likely also affected, say experts.

The bug, CVE-2021-44228, affects a Java logging package called log4j. It was revealed Thursday by Lunasec and on Friday by Huntress Labs, and is already being exploited, according to an alert from the Canadian Centre for Cyber Security. The U.S. Cyber Security and Infrastructure Security Agency also issued a notification.

Huntress reports that ConnectWise has issued advisories and concerns for ConnectWise Manage installations, N-able has confirmed that its RMM and N-Central are affected, and one researcher says the UniFi controller platform is also vulnerable.

Log4j is a library that helps IT administrators create logs. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from Lightweight Directory Access Protocol (LDAP) servers when message lookup substitution is enabled, says the National Institute of Standards and Technology (NIST).

The vulnerability is in log4j versions 2.0-beta9 to 2.14.1. Within hours of being notified, Apache issued version 2.15.0 for application developers; it disables message lookup substitution by default. Oracle has also distributed the patch. However, developers now have to push out updates for their applications, which may give time for exploitation to attackers. In the meantime, IT managers will have to rely on advice from application providers to apply mitigations.

Adobe also says Java 7+ users should migrate to version 2.8.2 or avoid using the socket server classes. Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix from 2.8.2.

Many open source projects like the Minecraft server, called Paper, have already begun patching their usage of log4j, according to LunaSec

In an interview, Johannes Ullrich, dean of research at the SANS Institute, predicted it will take years for organizations and cloud providers to patch their applications to close this hole. Oracle is still patching some of its applications from different log4j vulnerabilities discovered several years ago, he pointed out.

“This is one of those issues like Java (Apache) Struts and Heartbleed, where we have a library included in tons and tons of mission-critical software. The exploit allows you to completely take over a system it’s running on. It will be an absolute nightmare to patch this vulnerability in large enterprise environments.”

One worry is that threat actors may have already exploited the vulnerability, he said, so patching for them is too late.

Asked what IT managers should be doing, Ullrich said they should be trying to identify software in their environments that includes log4j. “If the software is written in Java then it’s often using log4j. There are some configuration changes that you can make that may help. Depending on how the library’s being used, it may not even reach those configuration changes if you link them back to an application’s configuration file.

“You may be able to add additional security around an application, like additional firewall rules and intrusion protection rules that block the vulnerability. Try to find whatever mitigating rule you can find to add additional layers to sort of put ‘bubble wrap’ around those applications.”

The notice from LunaSec includes temporary mitigations, he added.

The vulnerability can be triggered by an attacker sending a string from a server to an application with a vulnerable version of log4j. A threat actor might supply special text in an HTTP User-Agent header or a simple POST form request, says Huntress.

Huntress has created a tool to help IT departments test whether their applications are vulnerable.

Arshan Dabirsiaghi, co-founder and chief scientist at Contrast Security, said that any Java application that logs data uses log4j. It’s the most popular logging framework in the Java ecosystem and is used by millions of applications. “Make no mistake, this is the largest Java vulnerability we have seen in years. It’s absolutely brutal,” he said.

“There are three main questions that teams should answer now—where does this impact me, how can I mitigate the impact right now to prevent exploitation, and how can I locate this and similar issues to prevent future exploitation?”

In an end-of-the-week news commentary, SANS Institute instructor Chris Elgee said  the discovery of this vulnerability is a case for continuous in-house pentesting for organizations large enough to support it. “Apache log4j is one of those web application plumbing components that many companies won’t know they’re using – much like Apache Struts 2. In fact, if you’re running Struts 2, you’re likely running a vulnerable version of log4j. Further, much like Struts vulnerabilities, it’s the kind of flaw that generally needs to be checked actively and won’t come up in typical vulnerability scans.”

Adblock test (Why?)



Source link

Continue Reading

Tech

Apple requires employees to have proof of a COVID booster as Omicron spreads, according to reports – Euronews

Published

 on


Apple will require retail and corporate employees to provide proof of a COVID-19 booster shot, The Verge reported on Saturday citing an internal email.

Starting January 24, unvaccinated employees or those who haven’t submitted proof of vaccination will need negative COVID-19 tests to enter Apple workplaces, the report said.

The Verge said it was not immediately clear if the testing requirement applies to both corporate and retail employees.

“Due to waning efficacy of the primary series of COVID-19 vaccines and the emergence of highly transmissible variants such as Omicron, a booster shot is now part of staying up to date with your COVID-19 vaccination to protect against severe disease,” the memo read, according to The Verge.

Apple did not immediately respond to a request from Reuters for comment.

Many companies in the US have been strengthening their COVID-19 rules, mandating vaccination and delaying back-to-office plans as the Omicron variant increases infections across the country.

This week, Facebook parent Meta Platforms mandated COVID-19 booster shots for all workers returning to offices. It also delayed U.S. office reopenings to March 28, from an earlier plan of January 31.

Alphabet Inc’s Google on Friday said it was temporarily mandating weekly COVID-19 tests for people entering its US offices.

A report by The Information said Amazon.com Inc has offered its US warehouse workers $40 (€35) to get a booster shot.

Adblock test (Why?)



Source link

Continue Reading

Tech

The mid-2012 MacBook Pro 13-inch will soon become obsolete – Vaughan Today

Published

 on



Apple will declare the mid-2012 13.3-inch MacBook Pro a “legacy” on January 31, according to an internal memo intercepted by Apple. Mac rumors. This is the last step before it becomes permanently outdated: it means that Apple will stop providing compatible parts to Apple Stores and Authorized Service Centers. It will always be possible to get a repair in the event of a breakdown, but within the limits of the available parts: this will therefore be increasingly difficult, up to the complete obsolescence that must be declared in a couple of years. You can refer to the list of old and outdated products on this page.

The mid 2012 13.3-inch MacBook Pro is the last model to feature an integrated CD/DVD drive. It was on sale until October 2016 to provide a more affordable alternative to models with Retina displays, which explains this late obsolescence. It is particularly reliable and offers interesting upgrade possibilities for people who want to replace the optical drive with a second volume. It is a standout model. Its time and about to give it up.

Links not showing up? Pictures are missing? Your ad blocker plays tricks on you.
To view all of our content, please turn off your ad blocker!

“Proud thinker. Tv fanatic. Communicator. Evil student. Food junkie. Passionate coffee geek. Award-winning alcohol advocate.”

Adblock test (Why?)



Source link

Continue Reading

Tech

Stable ColorOS 12 update goes live for OPPO A73, A74, F19 Pro+, and more – XDA Developers

Published

 on


OPPO has started seeding a stable ColorOS 12 update based on Android 12 to a bunch of its mid-range devices, including the OPPO A73, F19 Pro+, Reno 5Z, and Reno 6Z. OPPO previously said it would kick off the stable update rollout for these devices from January 17 and it’s making good on its promise.

Hands-on with ColorOS 12 based on Android 12: Here’s everything new in the latest update for OPPO smartphones

As per recent announcements posts on OPPO Community, the stable ColorOS 12 update with Android 12 is currently rolling out to the OPPO A73, OPPO A74, OPPO Reno 5Z, Reno 6Z 5G, and Reno 5Z in various regions. The update is live for the OPPO A73 and Reno 5Z in Saudi Arabia and the UAE. Similarly, the OPPO A74 and F19 Pro+ units in India have also started receiving it. Finally, the OPPO Reno 6Z update is currently rolling out in Cambodia, Thailand, Vietnam, and the UAE.

If you own any of the above-mentioned devices, be on the lookout for an OTA notification in the coming days. Since the update is rolling out in a staged fashion, it might take several days before it makes its way to everyone. So far, the update has only gone live in select regions, but OPPO says it plans to expand the rollout to other markets soon.

After installing the ColorOS 12 update, users can look forward to many exciting features and changes, such as a new wallpaper-based theming system, Screen Translate, Canvas AOD, Android 12’s Privacy Dashboard and privacy indicators, and much more. You can learn more about ColorOS 12 in our in-depth review of the new skin.

If your phone isn’t on the list, don’t worry. OPPO plans to bring the latest version of its custom skin to many more phones. Owners of the OPPO Reno 5F, Reno 4 Pro, Reno 4F, F19 Pro, and F17 Pro will be able to try out an early version of ColorOS 12 next month. Meanwhile, the Reno 5 Lite, Reno 4, Pro, Reno 4Z, Reno 4 Lite, and more are scheduled to receive a ColorOS 12 beta sometime in March.

Adblock test (Why?)



Source link

Continue Reading

Trending