HOME
NEWS

The urgent need to keep Data Secure in Light of Apache Log4j Vulnerabilities


By VARINDIA - 2021-12-27
The urgent need to keep Data Secure in Light of Apache Log4j Vulnerabilities

The recent cyberattack has the potential to wipe out the Internet, putting NASA, smart TVs, and Minecraft in standstill. With this, Amazon and Google are now vulnerable to a sophisticated hacking attack, making the 'worst-ever' Internet security flaw 'apocalyptic' for the computer industry. The flaw, which may allow hackers to take control of nearly everything on the Internet, has apparently made IT giants nervous. According to the Seattle Times, employees at Silicon Valley corporations have been working all-nighters to guarantee their code is secure.

 

The Log4Shell, Apache Software Foundation released information on two critical vulnerabilities in its Log4j Java-based library. The vulnerability is based on an open-source logging library used in most applications by enterprises and even government agencies. The exploits for this vulnerability are already being tested by hackers. The problem impacts Log4j 2 versions which is a very common logging library used by applications across the world. Logging lets developers see all the activity of an application.

 

The first vulnerability CVE-2021-44228, also known as Log4Shell or LogJam, was reported as an unauthenticated remote code execution vulnerability. By exploiting how the library logs error messages, it could lead to a complete system takeover. Log4j is one of the most widely-used logging libraries in the world. Its adaptable logging capabilities make it useful across any type of infrastructure or application. Countless enterprise, government and open-source applications use Log4j.

 

Tech companies such as Apple, Microsoft, Google all rely on this open-source library, as do enterprise applications from CISCO, Netapp, CloudFare, Amazon and others. The potential scope of the initial RCE vulnerability CVE-2021-44228 is astounding. Any device or app connected to the internet running Log4j versions 2.0-2.14.1, is at risk.

 

In addition, exploiting the vulnerability is relatively straightforward. By simply sending a malicious string that then gets logged by the application, attackers can exploit a feature in log4j that can be used to retrieve information. Here the attackers use the Java naming and Directory Interface to make an external network request for the malicious payload in the form of a Java file. From there, the attacker would be free to deliver whatever malware or backdoor entry to the infrastructure.‍

 

Secondly, the vulnerability CVE-2021-45046 was uncovered shortly after the initial patch was released. According to the CVE description, the initial patch was “incomplete” and this new exploit “could allow attackers… to craft malicious input data using a JNDI lookup pattern resulting in a denial of service attack.”‍ It is also able to update any server, app or resource that uses Log4j with the latest patch immediately. This patch includes coverage for both the latest DOS vulnerability and the original RCE vulnerability.‍

 

As soon as the proof of concept exploit was released on Github, threat actors began actively scanning the internet for vulnerable assets. Lookout customers who use the Lookout Security Platform, our Secure Access Service Edge solution, are equipped with several ways to protect their sensitive data and mitigate risks associated with this vulnerability.‍

 

Deepak Sahu, President & CEO, VARINDIA

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA