"Apache Log4J" vulnerabilities and more than 35,000 Java packages-Google surveys

 The topic of the serious vulnerabilities that exist in the Java log output library "Apache Log4J" continues.The U.S. Cyber Security Infrastructure Security Agency (CISA) ordered the U.S. Federal Government to apply patches to multiple vulnerabilities, including Log4J vulnerabilities by December 24, but on December 17.Appeared an emergency order to the U.S. government agency to immediately correct the vulnerability of LOG4J in the asset connected to the network.It is said that multiple threat actors are actively abusing the widely used Log4J vulnerabilities.From around last week, several major tech companies, including IBM, Cisco, and VMware, have rushed to respond to Log4J vulnerabilities in each product.

 BLUMIRA, a security company, claims that it has discovered a new LOG4J -related attack vector, aiming for an attack on a server in a Listen state on a PC or local network, and this problem has a vulnerability.It mentions the possibility that the assumption that it will only affect the server will not be established.

 Security companies, Advanced Intelligence, reported that ransomware groups such as Conti are seeking a means of exploring Log4J vulnerabilities.

 Google was a member of Open Source Insights Team, a member of the Open Source Insights Team, and Nicky Ringland surveyed Java Artifacts that can be used from the "Maven Central" repository, and 3 depends on the affected Log4J.A security report was released to be found in 5863.According to the two, these numbers mean at least one version affected by the vulnerabilities among all packages registered in Maven Central.

「Apache Log4j」の脆弱性、3万5000超のJavaパッケージに影響の恐れ--グーグル調査

 "The 8 % effect on the ecosystem is a very large value. Of the advisory that affects Maven Central, the average value of the target ecosystem is 2 %, and the median is 0.1.It is only less than %. "

 At the time of our writing, the patch was applied to nearly 5,000 artifacts, but it seems that more than 30,000 has not yet been applied.However, both pointed out that it would be difficult to deal with this issue because LOG4J could be embedded deep into the product."Most artifacts that depend on Log4J indirectly depend on them. The more the vulnerabilities in the dependent chains, the more steps required for corrections."

提供:Google

 According to the two, they have confirmed all the important advisory that has been open to the public, which affects the Maven package, and has revised that less than half (48 %) of artifacts affected by vulnerabilities has been modified.In other words, it may take several years before the Log4J problem is resolved.

 Apache Software Foundation (ASF) has released a new version of Log4J "2.17.0" on the 17th.It will deal with the issues discovered after the release of the previous version of "2.16.0" released on December 14.

 ASF explained that "CVE-2021-45105", which "CVE-2021-45105", which leads to a service refusal (DOS) attack, states that "the infinite recursion cannot be completely prevented when looking up resources."In this vulnerability, the score of the common vulnerability evaluation system (CVSS) is 7.5, and the severity is "important".Only the Log4j-Core JAR file is affected by CVE-2021-45105.ASF introduces the details of the problem and the easing measures.

 Security Researchers and others have talked about the potential problems of 2.16.0 since 17th, and some researchers have argued that there are vulnerabilities that lead to DOS attacks.

This article edited by Asahi Interactive for an article from overseas RED VENTURES for Japan.