Top | |
Newsletter 01/09/2022 | Back to Contents |
Log4j Update: It Ain't Over 'Till It's Over. And It Ain't Over.
Turning and turning in the widening gyre
The poet Yeats was obviously not writing about malware in the
1890s; but like all great art, the Yeats poem quoted above transcends time and
speaks an eternal truth about the human condition. Log4j has done
nothing but loosed chaos on our world. Communications have been
interrupted. Otherwise innocent programmers, developers, and
executives claim no responsibility for what we now know was some very
shortsighted decision making. Just a week before the Log4j
outbreak on November 30, 2020, Security Boulevard posted an article
titled,
"Common vulnerabilities in Java and how to fix them".
The article lists 30 specific vulnerabilities known to be present in
Java, and also their mitigations. We now see corporations
assessing what might be their liabilities for employing applications
known to have extensive vulnerabilities, and thus spewing platitudes
about their methods of production. Meanwhile every hacker group,
pro and am, are lapping up the ill gotten gravy, and getting great belly
laughs at the expense of their shorn sheep, you and me.
Fitch Ratings-New York/Chicago/Austin-21 December 2021: The
recent breach of Ultimate Kronos Group's (UKG) Kronos Cloud Solutions
platform could pose significant, but temporary, management challenges
for public finance entities that use the Kronos platform through the
holiday season, says Fitch Ratings. While we do not anticipate that the
UKG breach will have meaningful credit implications for individual
public finance entities that use Kronos, the breach continues to
reinforce the necessity of robust third-party risk management strategies
and identification of critical dependencies for public finance issuers.
The attack further highlights the importance of cyber emergency
preparedness and response strategies for the public finance sector.
The City of Cleveland, notes Finch Ratings, asserts that some of the
city data accessed may have included certain employees’ first and last
names, addresses, last four digits of the social security numbers, and
employee ID numbers.
The UK's National Health Service (NHS) has issued a warning that
hackers are actively targeting Log4J vulnerabilities and is recommending
that organisations within the health service apply the necessary updates
in order to protect themselves. VMWare is a cloud provider employed across many different types of systems and industries using Virtual Machine Technology. VMware, Inc. is an American cloud computing and virtualization technology company headquartered in California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. Amazon Web Services (AWS) is by all accounts the largest provider of cloud based IT services. And AWS is powered by VMWare.
What is VMware Cloud on AWS?
It should be noted that AWS experienced an outage on December 7, 2021, as the Log4j crises was starting to unfold. Another outage hit AWS on December 15, and then a third time again on December 22, 2021. In each instance, the effects were far reaching, from Amazon deliveries run amok to Tesla owners locked out of their cars. So it doesn't take a NASA Rocket Scientist to see that this is a whole lot of cyber feces about to hit the cyber circular oscillator. Many commentators among the digerati have compared in one way or another Log4j to Covid. Security Boulevard published a piece, January 6, 2022, entitled, "Log4Shell log4j Remote Code Execution – The COVID of the Internet". The Register's take was to make the comparison of Log4j to the Omicron variant.
It's not unreasonable to suggest that immunology and
cybersecurity could learn a lot if they talked more. Sometimes, though,
the parallels are far too close for comfort. We even have the same confusion of nomenclatures. I am neither a doctor nor epidemiologist, but I have seen and heard enough of them on cable news to know that "The virus is known as severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The disease it causes is called coronavirus disease 2019 (COVID-19)." So sayeth the Mayo Clinic. Likewise, we have a similar situation among the digerati as they do their reporting on Log4j. Specifically, "If a device that is connected to the internet runs Apache Log4j, versions 2.0-to-2.14.1, then they are vulnerable to Log4Shell." So, if your system is vulnerable to an attack brought about by the Log4j vulnerability, among the many strains of malware that might infect your system, one strain of that malware is called Log4Shell. I am pretty sure I know who gets to decide this things in medicine, but I have no idea who gets to make these decisions in IT. If all of this sounds demoralizing and depressing, well, it is. But we can still have some fun. Hurry on over to the next post and discover the wonderful world of POWERTOYS. Gerald Reiff |
Back to Top | ← previous post | next post → |