At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Upgraded to log4j 2.16? Surprise, there’s a 2.17 fixing DoS

    log4j cyber attacks

    Yesterday, BleepingComputer summed up all the log4j and logback CVEs known thus far.

    Ever since the critical log4j zero-day saga started last week, security experts have time and time again recommended Apache version 2.16 as the safest release to be on. That advice has now changed with new version 2.17.0 released over the weekend, that fixes a seemingly minor, but ‘High’ severity Denial of Service (DoS) vulnerability that affects log4j 2.16.

    The vulnerability is tracked as CVE-2021-45105 and received a CVSS score of 7.5, it is a DoS flaw that impacts log4j 2.16. Experts have pointed out that even if JNDI lookups were disabled in version 2.16, self-referential lookups remained a possibility under certain circumstances. The new advice states:

    “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups,”

    A version release will push already stretched security teams as they approach the holiday season and are coping with reduced staffing levels.

    Google: Over 35,000 Java packages have Log4j flaws

    The development comes around the same time as Google’s analysis that reveals over 35,000 Java packages contain log4j vulnerabilities.

    “More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities,” explain James Wetter and Nicky Ringland of Google’s Open Source Insights Team in yesterday’s blog post.

    According to Google, the vast majority of vulnerable Java packages in Maven Central borrow log4j “indirectly”—that is log4j is a dependency of a dependency used by the package, a concept also referred to as transitive dependencies.

    As reported by BleepingComputer, threat actors are targeting vulnerable servers with log4j exploits to push malware, with the Conti ransomware gang specifically eying vulnerable VMWare vCenter servers.

    As such, organizations should upgrade to the latest log4j versions and continue to monitor Apache’s advisories for updates.

    With thanks to the Cyber Defence Alliance and BleepingComputer. The full story is here: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/

    Request A Demo: Security Awareness Training

    products-KB4SAT6-2-1

    New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!

    Save My Spot!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top