Friday, July 8, 2022
HomeInformation SecurityApache “Commons Configuration” patches Log4Shell-style bug – what it's worthwhile to know...

Apache “Commons Configuration” patches Log4Shell-style bug – what it’s worthwhile to know – Bare Safety


Bear in mind the Log4Shell bug that confirmed up in Apache Log4j late in 2021?

Log4j is likely one of the Apache Software program Basis’s many software program initiatives (greater than 350 at present rely), and it’s a programming library that Java coders can use to handle logfiles in their very own merchandise.

Logfiles are an important a part of growth, debugging, file conserving, program monitoring, and, in lots of trade sectors, of regulatory compliance.

Sadly, not all textual content you logged – even when it was despatched in by an exterior consumer, for instance as a username in a login type – was handled actually.

If you happen to gave your title as MYNAME, it could be logged identical to that, because the textual content string MYNAME, however any textual content wrapped in ${...} characters was handled as a command for the logger to run, which may trigger what’s often called RCE, quick for distant code execution.

Just lately, we noticed an analogous type of bug known as Follina, which affected Microsoft Home windows.

There, the troublesome characters had been $(...), with spherical brackets changing squiggly ones, however with the identical type of side-effect.

Within the Follina bug, a URL that contained a listing title with the string SOMETEXT in it could be handled simply because it was written, however any textual content wrapped in $(...) could be run as a Powershell command, as soon as once more inflicting a threat of distant code execution.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments