Date:

Share:

Log4J vulnerability; Important information CF & Java users

Related Articles

Updated December 16, 2021

Does FusionReactor need an update to fix the vulnerability?

The FusionReactor agent is not dependent on or uses Log4j and is therefore not susceptible to this vulnerability. In order to protect you and your customers, you need to make sure that every framework, directory or other component you use is updated.

Is FusionReactor protected?

All FusionReactor SaaS (Cloud) services using Log4j have been updated to address this issue.

What are the weaknesses of Log4J?

Log4j problems were first observed in the game Minecraft, but it soon became clear that their impact was much greater. There are millions of web applications that use the software, including Apple’s iCloud. Attacks that exploit the bug, known as Log4Shell attacks, have been occurring in the wild since Dec. 9, Crowstrike says.

Log4j, which is used by millions of web servers, has been found to contain a critical security flaw. They are vulnerable to bug attacks, and teams around the world try to fix them before hackers gain access to them. “The Internet is on fire right now,” said Adam Myers of security firm Crowdstrike.

Discovered on December 13th of Apache Log4j 2.15.0 has Incomplete repair To CVE-2021-44228 In non-default configurations. This allows attackers with Thread Context Map (MDC) input control when the registry configuration uses a non-default pattern layout with context search (for example, $$ ctx: loginId) or context map printing (% X,% mdc or% MDC) to generate malicious input data using a JNDI test pattern resulting in a denial of service (DOS) attack.

Log4j 2.15.0 makes an optimal attempt to restrict JNDI LDAP searches to localhost by default. Log4j 2.16.0 Fixes this issue by removing support for message search patterns and disabling JNDI functionality by default.

read more: https://logging.apache.org/log4j/2.x/security.html

How to protect yourself

Updated December 16, 2021

On December 13, 2021, Apache released Log4j Version 2.16.0 In a security update to treat a second vulnerability; CVE-2021-45046.

Note: Affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected from both CVE-2021-44228 and CVE-2021-45046.

On December 10, 2021, the Apache Foundation issued a state of emergency updating For a critical zero-day vulnerability in Log4j, a registry tool used in almost every Java application. The problem was named Log4Shell and got the ID CVE-2021-44228.

An attacker could run arbitrary code on a system that uses Log4j to write log messages by exploiting a bug in the Log4j directory. The security vulnerability in Log4j has a wide impact and should be addressed by anyone who uses Log4j in their application.

This is really important for ColdFusion, Lucee and Java users

Anyone using CF, Lucee or Java should check to make sure they are safe. This issue can affect you and any customer who uses your code.

Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular Articles