The Details The Log4J vulnerability in the Java logging package maintained by Apache made headlines late last week. It was disclosed as a Zero Day bug which is easily exploitable, received a CVSS score of 10/10, and includes remote code execution (RCE) on the target host. Associated CVE-2021-44228 is available on the NIST NVD website which provides more information and references including the CISA advisory. The number of Log4J installations has been described as “hundreds of millions” and “countless”. Virtually all Log4J versions (<= 20.14.1 which was released in early March 2021) are vulnerable. The most recent version of Log4J is now version 20.16.0 since subsequent patched updates were released in quick succession on December 6th and December 13th of 2021. If you want to know whether a 3rd party application is vulnerable to re-assess your risk, review the Software Bill of Materials (SBOM), if one has been provided, it…
vulnerability disclosure
This article attempts to give an overview of how IT vulnerabilities are categorized during their life-cycle. Understanding the terms related to the various stages of IT security vulnerabilities can allow a better understanding of what a proper security policy framework should include. First lets cover the stages: Unknown – vulnerabilities that exist but nobody knows about them. The vulnerability is not designed in put into the software or hardware by a malicious actor. These vulnerabilities are caused by poor implementation. Software coding standards and software development guidelines attempt to prevent these types of vulnerabilities from happening, but complex constructs in software programming languages are difficult to implement properly can be a large source of vulnerabilities. Unknown vulnerabilities may be discovered through static code analysis and “fuzzing” (automated testing) by malicious actors, bug hunters, or security threat hunters. Known – once the vulnerability has been discovered, it may fall into…