Infosec leaders around the world are being urged to heed warnings from national computer emergency teams, software suppliers and cybersecurity experts about a critical logging-related vulnerability in Apache, Apple iCloud and other business applications. Managed service providers are likely also affected, say experts.
The bug, CVE-2021-44228, affects a Java logging package called log4j. It was revealed Thursday by Lunasec and on Friday by Huntress Labs, and is already being exploited, according to an alert from the Canadian Centre for Cyber Security. The U.S. Cyber Security and Infrastructure Security Agency also issued a notification.
Huntress reports that ConnectWise has issued advisories and concerns for ConnectWise Manage installations, N-able has confirmed that its RMM and N-Central are affected, and one researcher says the UniFi controller platform is also vulnerable.
Log4j is a library that helps IT administrators create logs. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from Lightweight Directory Access Protocol (LDAP) servers when message lookup substitution is enabled, says the National Institute of Standards and Technology (NIST).
The vulnerability is in log4j versions 2.0-beta9 to 2.14.1. Within hours of being notified, Apache issued version 2.15.0 for application developers; it disables message lookup substitution by default. Oracle has also distributed the patch. However, developers now have to push out updates for their applications, which may give time for exploitation to attackers. In the meantime, IT managers will have to rely on advice from application providers to apply mitigations.
Adobe also says Java 7+ users should migrate to version 2.8.2 or avoid using the socket server classes. Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix from 2.8.2.
Many open source projects like the Minecraft server, called Paper, have already begun patching their usage of log4j, according to LunaSec
In an interview, Johannes Ullrich, dean of research at the SANS Institute, predicted it will take years for organizations and cloud providers to patch their applications to close this hole. Oracle is still patching some of its applications from different log4j vulnerabilities discovered several years ago, he pointed out.
“This is one of those issues like Java (Apache) Struts and Heartbleed, where we have a library included in tons and tons of mission-critical software. The exploit allows you to completely take over a system it’s running on. It will be an absolute nightmare to patch this vulnerability in large enterprise environments.”
One worry is that threat actors may have already exploited the vulnerability, he said, so patching for them is too late.
Asked what IT managers should be doing, Ullrich said they should be trying to identify software in their environments that includes log4j. “If the software is written in Java then it’s often using log4j. There are some configuration changes that you can make that may help. Depending on how the library’s being used, it may not even reach those configuration changes if you link them back to an application’s configuration file.
“You may be able to add additional security around an application, like additional firewall rules and intrusion protection rules that block the vulnerability. Try to find whatever mitigating rule you can find to add additional layers to sort of put ‘bubble wrap’ around those applications.”
The notice from LunaSec includes temporary mitigations, he added.
The vulnerability can be triggered by an attacker sending a string from a server to an application with a vulnerable version of log4j. A threat actor might supply special text in an HTTP User-Agent header or a simple POST form request, says Huntress.
Huntress has created a tool to help IT departments test whether their applications are vulnerable.
Arshan Dabirsiaghi, co-founder and chief scientist at Contrast Security, said that any Java application that logs data uses log4j. It’s the most popular logging framework in the Java ecosystem and is used by millions of applications. “Make no mistake, this is the largest Java vulnerability we have seen in years. It’s absolutely brutal,” he said.
“There are three main questions that teams should answer now—where does this impact me, how can I mitigate the impact right now to prevent exploitation, and how can I locate this and similar issues to prevent future exploitation?”
In an end-of-the-week news commentary, SANS Institute instructor Chris Elgee said the discovery of this vulnerability is a case for continuous in-house pentesting for organizations large enough to support it. “Apache log4j is one of those web application plumbing components that many companies won’t know they’re using – much like Apache Struts 2. In fact, if you’re running Struts 2, you’re likely running a vulnerable version of log4j. Further, much like Struts vulnerabilities, it’s the kind of flaw that generally needs to be checked actively and won’t come up in typical vulnerability scans.”
Apple requires employees to have proof of a COVID booster as Omicron spreads, according to reports – Euronews
Apple will require retail and corporate employees to provide proof of a COVID-19 booster shot, The Verge reported on Saturday citing an internal email.
Starting January 24, unvaccinated employees or those who haven’t submitted proof of vaccination will need negative COVID-19 tests to enter Apple workplaces, the report said.
The Verge said it was not immediately clear if the testing requirement applies to both corporate and retail employees.
“Due to waning efficacy of the primary series of COVID-19 vaccines and the emergence of highly transmissible variants such as Omicron, a booster shot is now part of staying up to date with your COVID-19 vaccination to protect against severe disease,” the memo read, according to The Verge.
Apple did not immediately respond to a request from Reuters for comment.
Many companies in the US have been strengthening their COVID-19 rules, mandating vaccination and delaying back-to-office plans as the Omicron variant increases infections across the country.
This week, Facebook parent Meta Platforms mandated COVID-19 booster shots for all workers returning to offices. It also delayed U.S. office reopenings to March 28, from an earlier plan of January 31.
Alphabet Inc’s Google on Friday said it was temporarily mandating weekly COVID-19 tests for people entering its US offices.
A report by The Information said Amazon.com Inc has offered its US warehouse workers $40 (€35) to get a booster shot.
The mid-2012 MacBook Pro 13-inch will soon become obsolete – Vaughan Today
Apple will declare the mid-2012 13.3-inch MacBook Pro a “legacy” on January 31, according to an internal memo intercepted by Apple. Mac rumors. This is the last step before it becomes permanently outdated: it means that Apple will stop providing compatible parts to Apple Stores and Authorized Service Centers. It will always be possible to get a repair in the event of a breakdown, but within the limits of the available parts: this will therefore be increasingly difficult, up to the complete obsolescence that must be declared in a couple of years. You can refer to the list of old and outdated products on this page.
The mid 2012 13.3-inch MacBook Pro is the last model to feature an integrated CD/DVD drive. It was on sale until October 2016 to provide a more affordable alternative to models with Retina displays, which explains this late obsolescence. It is particularly reliable and offers interesting upgrade possibilities for people who want to replace the optical drive with a second volume. It is a standout model. Its time and about to give it up.
Links not showing up? Pictures are missing? Your ad blocker plays tricks on you.
To view all of our content, please turn off your ad blocker!
“Proud thinker. Tv fanatic. Communicator. Evil student. Food junkie. Passionate coffee geek. Award-winning alcohol advocate.”
Stable ColorOS 12 update goes live for OPPO A73, A74, F19 Pro+, and more – XDA Developers
OPPO has started seeding a stable ColorOS 12 update based on Android 12 to a bunch of its mid-range devices, including the OPPO A73, F19 Pro+, Reno 5Z, and Reno 6Z. OPPO previously said it would kick off the stable update rollout for these devices from January 17 and it’s making good on its promise.
As per recent announcements posts on OPPO Community, the stable ColorOS 12 update with Android 12 is currently rolling out to the OPPO A73, OPPO A74, OPPO Reno 5Z, Reno 6Z 5G, and Reno 5Z in various regions. The update is live for the OPPO A73 and Reno 5Z in Saudi Arabia and the UAE. Similarly, the OPPO A74 and F19 Pro+ units in India have also started receiving it. Finally, the OPPO Reno 6Z update is currently rolling out in Cambodia, Thailand, Vietnam, and the UAE.
If you own any of the above-mentioned devices, be on the lookout for an OTA notification in the coming days. Since the update is rolling out in a staged fashion, it might take several days before it makes its way to everyone. So far, the update has only gone live in select regions, but OPPO says it plans to expand the rollout to other markets soon.
After installing the ColorOS 12 update, users can look forward to many exciting features and changes, such as a new wallpaper-based theming system, Screen Translate, Canvas AOD, Android 12’s Privacy Dashboard and privacy indicators, and much more. You can learn more about ColorOS 12 in our in-depth review of the new skin.
If your phone isn’t on the list, don’t worry. OPPO plans to bring the latest version of its custom skin to many more phones. Owners of the OPPO Reno 5F, Reno 4 Pro, Reno 4F, F19 Pro, and F17 Pro will be able to try out an early version of ColorOS 12 next month. Meanwhile, the Reno 5 Lite, Reno 4, Pro, Reno 4Z, Reno 4 Lite, and more are scheduled to receive a ColorOS 12 beta sometime in March.
Artists Invited To Enter Artwork In Florida Strawberry Festival Fine Art Show – Osprey Observer
Citi's Precious Art Collection Should Stay in Mexico, AMLO Says – BNN
Mega Jackpot: New Jersey Woman Wins $3.5 Million
Silver investment demand jumped 12% in 2019
Europe kicks off vaccination programs | All media content | DW | 27.12.2020 – Deutsche Welle
Iran anticipates renewed protests amid social media shutdown
News17 hours ago
Back to school in 4 provinces as Omicron spreads – CTV News
Economy16 hours ago
China’s Economy Slowed Late Last Year on Real Estate Troubles – The New York Times
News23 hours ago
Omicron: 'Let it rip' not the solution, experts say – CTV News
News15 hours ago
Winter storm slams U.S. East Coast, Canada, thousands of flights canceled
Business23 hours ago
UK government to cut funding for BBC – Mail on Sunday report
Science16 hours ago
Roberta Bondar flew into space 30 years ago and never saw Earth the same after that – CBC.ca
Business24 hours ago
HVAC scams and how to stop them; why can't retail workers get N95 masks? CBC's Marketplace Cheat Sheet – CBC News
Sports16 hours ago
Novak Djokovic arrives in Dubai after deportation from Australia – Sportsnet.ca