News for Admins

Tech News

Article from ADMIN 67/2022
By
WhiteSource Releases Free Log4j Detection Tool

WhiteSource Releases Free Log4j Detection Tool

As the Log4j vulnerability continues to wreak havoc on the IT landscape, everyone is trying to prevent disaster from striking. A number of companies and development teams have released tools to help with the detection and remediation of the vulnerability. One such company is WhiteSource. Their new tool, Log4j Detect (https://github.com/whitesource/log4j-detect-distribution), is an open source, command-line utility that scans your projects to detect the following known CVEs:

  • CVE-2021-45046
  • CVE-2021-44228
  • CVE-2021-4104
  • CVE-2021-45105

Once the scan is complete, it will report back the exact path of the vulnerable files as well as the fixed version you'll need to remediate the issue. Log4j Detect should be run within the root directory of your projects and will also search for vulnerable files with both the .jar and .gem extensions. Log4j Detect supports the Gradle, Maven, and Bundler package managers.

In order for Log4j Detect to run properly, you'll need to install either Gradle (if the project is a Gradle project) or mvn (if the project is a Maven project). The developers have also indicated both maven and bundler projects must be built before scanning. Once you have Log4j Detect installed, the scan can be issued with the command log4j-detect scan -d PROJECT (where PROJECT is the directory housing your project).

For more information about this tool, make sure to read through the project README (https://github.com/whitesource/log4j-detect-distribution/blob/main/README.md).

Critical RCE Zero Day Vulnerability Found in Apache Library

Chen Zhaojun, from the Alibaba Cloud Security team, recently reported to the Apache Foundation that an Apache library (Log4j) contained a vulnerability that allowed attackers to control log messages and log message parameters and execute arbitrary code loaded from LDAP servers when message substitution is enabled.

This vulnerability (CVE-2021-44228)(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) was found in Log4j2 versions 2.14.1 and earlier and received the maximum possible CVSS score of 10.0.

The Log4j library is in wide use with enterprise Java software, so it's imperative that anyone using this upgrade to Log4j v2.15.0.

John Hammond, a senior security researcher with Huntress, warned, "If your organization uses Apache log4j, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it's worth noting that this isn't an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products."

Even printers and CCTV systems are at risk. A new GitHub project (https://github.com/YfryTchsGD/Log4jAttackSurface) has been created to map out potentially affected manufacturers and components.

This vulnerability should not be taken lightly. If you use the Log4j library, make sure you start taking steps immediately to mitigate any risk to your company, your clients, and your data.

The Linux Foundation to Host the Cloud Hypervisor Project

Backed by several powerhouses in the tech industry, The Linux Foundation is set to release a virtual machine monitor specific for modern cloud workloads. The Cloud Hypervisor virtual machine monitor will be written in Rust, focus on security, and will be capable of monitoring CPU, memory, device hot plug, will be able to monitor both Linux and Windows guests with a minimal footprint, and will be able to perform device offload with vhost-user.

The backers of this new platform include Alibaba, ARM, Intel, and Microsoft. According to Arjan van de Ven, fellow at Intel, "Cloud Hypervisor has grown to the point of moving to the neutral governance of The Linux Foundation." He continues, "We created the project to provide a more secure and updated VMM to optimize for modern cloud workloads. With fewer device models and a modern, more secure language, Cloud Hypervisor offers security and performance-optimized for today's cloud needs."

Of the new project, Gerry Liu, senior staff engineer at Alibaba, said, "Cloud Hypervisor is a great innovation project and evolves rapidly. Moving it to Linux Foundation will help to build a stronger community and speed up the adoption."

Find out more from the official Linux Foundation announcement (https://www.linuxfoundation.org/press-release/linux-foundation-to-host-the-cloud-hypervisor-project-creating-a-performant-lightweight-virtual-machine-monitor-for-modern-cloud-workloads/).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus