© Getty Images / iStockphoto / solarseven / IStockphoto.com
On Friday, a file was announced zero day gap in the java library log4j be. Log4j is open source software. This is diffuse, like the future area Already notified. Log4j is integrated with a variety of popular frameworks, including Apache Struts2, Apache Soler, Apache Droid And Apache Flink.
This means that a huge number of third-party apps can be vulnerable to this. Even big companies like Steam, Apple, Twitter And Amazon It should not be dismissed as a serious security risk. a lot home users And comp Equally affected.
Highest warning level
German Federal Office for Information Security (BSI) So red alert And raise the level of vulnerability to the highest warning level. It was noted that the vulnerability could be exploited without explicitly reloading the malicious code, according to the BSI broadcast. The vulnerability can be exploited in a trivial manner, and proof of concept is publicly available, according to BSI.
The problem with that: successful exploitation of vulnerability allows a full possession to the affected system. “The British Standards Institution (BSI) is aware of comprehensive surveys around the world and Germany, as well as attempted compromises. BSI Radio stated that the first successful concessions were publicly reported.
Many attacks are in progress
“The point of a Log4j attack is that the server executes the code automatically. Whatever the attacker *wants to do on a server with a vulnerability, he/she can do it. So it is very important to debug as soon as possible, because a lot of people who don’t have anything good on their minds are already trying to test servers that are still vulnerable,” Paul Duklin, IT security expert at Sophos.
All products must be customized
There is a security update for the affected Java Log4j library, but all products that use Log4j must also be adapted. According to BSI, it is currently “not clear” which products have actually been updated and which are not.
In addition, it is often not easy for operators of IT software projects to find out which applications are using Log4j. Cloud Flare describe it In a blog postHow you did it yourself to help other companies and IT operators find all the applications.
What do you do besides acute procedures?
The Log4j gap means not only a red alert for companies, but also private users They can be affected by the effect of vulnerability, Sophos explains. This is especially true when individuals use cloud servers operated by a host company or another managed service provider – be it Blog, forum, or family site. The first thing to do here is to find out if these services are at risk and when to plan for corrections.
The following applies to users and businesses: Once Updates Available for individual products, these must be imported. For companies, the following also applies: all systems must be scanned for compromises that have been vulnerable, because the security hole is already actively exploited.
As drastic measures, BSI recommends completely shutting down non-essential systems and partitioning networks in order to isolate vulnerable systems. There are more tips Also at CERT.at. The licensed Apache also has one Instructions posted on what to do.
“Total coffee aficionado. Travel buff. Music ninja. Bacon nerd. Beeraholic.”