Complete News World

Serious Security Vulnerabilities Warning by BSI

Serious Security Vulnerabilities Warning by BSI

© Getty Images / iStockphoto / solarseven /

On Friday, a file was announced zero day gap in the java library log4j be. Log4j is open source software. This is diffuse, like the future area Already notified. Log4j is integrated with a variety of popular frameworks, including Apache Struts2, Apache Soler, Apache Droid And Apache Flink.

This means that a huge number of third-party apps can be vulnerable to this. Even big companies like Steam, Apple, Twitter And Amazon It should not be dismissed as a serious security risk. a lot home users And comp Equally affected.

Highest warning level

German Federal Office for Information Security (BSI) So red alert And raise the level of vulnerability to the highest warning level. It was noted that the vulnerability could be exploited without explicitly reloading the malicious code, according to the BSI broadcast. The vulnerability can be exploited in a trivial manner, and proof of concept is publicly available, according to BSI.

The problem with that: successful exploitation of vulnerability allows a full possession to the affected system. “The British Standards Institution (BSI) is aware of comprehensive surveys around the world and Germany, as well as attempted compromises. BSI Radio stated that the first successful concessions were publicly reported.

Many attacks are in progress

“The point of a Log4j attack is that the server executes the code automatically. Whatever the attacker *wants to do on a server with a vulnerability, he/she can do it. So it is very important to debug as soon as possible, because a lot of people who don’t have anything good on their minds are already trying to test servers that are still vulnerable,” Paul Duklin, IT security expert at Sophos.

See also  ÖAMTC and Wien Energie: The Full Speed ​​of the Energy Community

To turn off PDF Javascript, enter "About: config" in the address line

Many IT admins will have a lot to do next week thanks to Log4j.

All products must be customized

There is a security update for the affected Java Log4j library, but all products that use Log4j must also be adapted. According to BSI, it is currently “not clear” which products have actually been updated and which are not.

In addition, it is often not easy for operators of IT software projects to find out which applications are using Log4j. Cloud Flare describe it In a blog postHow you did it yourself to help other companies and IT operators find all the applications.

What do you do besides acute procedures?

The Log4j gap means not only a red alert for companies, but also private users They can be affected by the effect of vulnerability, Sophos explains. This is especially true when individuals use cloud servers operated by a host company or another managed service provider – be it Blog, forum, or family site. The first thing to do here is to find out if these services are at risk and when to plan for corrections.

The following applies to users and businesses: Once Updates Available for individual products, these must be imported. For companies, the following also applies: all systems must be scanned for compromises that have been vulnerable, because the security hole is already actively exploited.

As drastic measures, BSI recommends completely shutting down non-essential systems and partitioning networks in order to isolate vulnerable systems. There are more tips Also at The licensed Apache also has one Instructions posted on what to do.