Log4j Blues

deanwebb · December 16, 2021, 08:28:07 AM

Well, I've had to move planned holiday PTO because of Log4j.

Just so everyone knows, version 2.15 fixes most things. Version 2.16 fixes all known vulnerabilities.

Lots of vendors impacted, too many for the CISA to fully track. Thankfully, the major operating systems don't run on java, so we don't have to rush out patches for all of Windows or MacOS or Linux platforms. All the same, this incident draws a line under any company's level of patch management.

heath · December 16, 2021, 09:52:20 PM

https://github.com/NCSC-NL/log4shell/tree/main/software

Dieselboy · December 19, 2021, 10:59:12 PM

Since you wrote that post, they released v 2.17 to fix another vulnerability that existed in 2.16 on 18th December.

Quote from: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Apache has released log4j 2.17.0 to address the new vulnerability CVE-2021-45105. The vulnerability is the result of an infinite recursion resulting in denial of service. Recommendation is to upgrade to 2.17.0. Additional details of the vulnerability can be found below. This vulnerability is already detected with existing coverage.

Update your signatures...

QuoteUpdated Coverage: Cisco Talos has released additional coverage today including vSphere detection. New signatures released are SIDs: 58740-58742, 58801-58814. Additionally, Cisco Talos has released new and updated ClamAV signatures.

deanwebb · December 20, 2021, 08:31:09 AM

Yep. 2.17 is the one that fixes everything. Today. As of 8:30 AM, US Central Time.

Log4j Blues

deanwebb

heath

Dieselboy

deanwebb