News

Log4J vulnerability: Red alert issued by BSI

Photo of Simon Lüthje Simon Lüthje13. December 2021

The full scope of the Log4J vulnerability is still not foreseeable. Therefore, the German Federal Office for Information Security (BSI) has issued the highest warning level “4/Red”. The gap is currently already being actively exploited, it said.

Log4J gap: A major threat

The threat posed by the Log4J vulnerability (CVE-2021-44228) is greater than apparently originally thought. The widely used logging tool Log4J is far too easy to hijack, Minecraft, cryptominer and many other programs are affected. The full scope of the vulnerability cannot yet be determined.

Contrary to previous assumptions, version 1 of Log4J is now also considered vulnerable to the attack under certain circumstances, not just version 2. V1 is End of Life (EOL) and has not been officially maintained for several years.

The company Cloudflare and others are comparing the Log4J vulnerability, now also referred to as Log4Shell, to Heartbleed or Shellshock. It is possible that a large number of servers on the Internet have already been affected. Even the electronic lawyer mailbox (BeA) uses Log4J and is affected – as a result, the portal is currently unavailable.

The BSI writes about this:

Accordingly, this critical vulnerability potentially impacts all Java applications accessible from the Internet that log portions of user requests using log4j.

There is a high probability that attacker activity related to this vulnerability will increase significantly in the coming days.

Log4J: Detection is difficult

The number of applications that use Log4J is almost infinite. At the same time, it is extremely difficult to figure out which programs mandatorily require Lof4J. Cloudflare describes in its company blog, for example, how it plans to tackle this.

It said it had examined all its JVM instances and found that its instances of “Elasticsearch, Logstash and Bitbucket” were vulnerable. Meanwhile, many other vendors and software providers have followed suit. A list on Github, on the other hand, shows several more applications as well as web services as vulnerable.

Log4J is apparently being worked on by the two maintainers Ralph Goers and Gary Gregory on a hobby basis, at least that is what the Apache Software Foundation, which maintains the tool, reports.

Tags
Photo of Simon Lüthje Simon Lüthje13. December 2021
Photo of Simon Lüthje

Simon Lüthje

I am co-founder of this blog and am very interested in everything that has to do with technology, but I also like to play games. I was born in Hamburg, but now I live in Bad Segeberg.

Related Articles

Critical vulnerability discovered in IP cameras

17. June 2021

BrakTooth security vulnerabilities: Millions of Bluetooth devices could be affected

6. September 2021

Apple: Users Were Able to Listen to Each Other via Facetime

29. January 2019
Victure PC420

Baby monitors from Victure are vulnerable – manufacturer does not respond

21. September 2021

No replies yet

Beginne die Diskussion →

Neue Antworten laden...

Avatar of Basic Tutorials
Basic Tutorials

Neues Mitglied

3,251 Beiträge 1,471 Likes
Angeheftet Dec 13, 2021

The full scope of the Log4J vulnerability is still not foreseeable. Therefore, the German Federal Office for Information Security (BSI) has issued the highest warning level „4/Red“. The gap is currently already being actively exploited, it said. Log4J gap: A major threat The threat posed by the Log4J vulnerability (CVE-2021-44228) is greater than apparently originally … (Weiterlesen...)

Antworten Like

Beteilige dich an der Diskussion in der Basic Tutorials Community →

Back to top button