Source: thenewstack.io
Learning from the Unfolding Log4j EmergencyCategory: Software, Security, shell
https://www.linkedin.com/in/charlottemfreeman/' The infosec world has been “all hands on deck” dealing with the https://thenewstack.io/another-day-another-log4j-vulnerability/ in the ubiquitous https://logging.apache.org/log4j/ Java-based open source logging framework. This vulnerability, listed under https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 last week, was released with a score of 10 out of 10 in the common vulnerability scoring system (CVSS), which is why it’s being treated like the emergency it is.
Data from untrusted sources (i.e., user-controlled input) should generally not be concatenated into log files without sanitization.
Successful exploitation of the Log4j_2 vulnerability requires that an attacker can transfer a payload to or exfiltrate data from an external system.
The early lessons from Log4j_2 indicate that security principles are key to handling these high-risk software supply chain security incidents.
Data from untrusted sources (i.e., user-controlled input) should generally not be concatenated into log files without sanitization.
Successful exploitation of the Log4j_2 vulnerability requires that an attacker can transfer a payload to or exfiltrate data from an external system.
The early lessons from Log4j_2 indicate that security principles are key to handling these high-risk software supply chain security incidents.
Related Articles
Community Partners
DevOps Careers