Apache Log4j Weakness
Also known as Log4Shell, the Apache Log4j vulnerability was the December Cybersecurity News Story and 2021 and probably the most significant of 2022. An error in the widely used Java logging library, it was first published on 9 December. The vulnerability was first discovered in Minecraft and allowed the application user to execute unauthorized remote code due to its use of the Java logging library.
Log4j is an open source software from the Apache Software Foundation. It records errors and routine system events and then communicates diagnostic messages about them to users and system administrators. An example of Log4j in action is when you click on a broken link or type a URL incorrectly, you get a 404 error message in your browser. The web server tells you that there is no such page and records events in a log using Log4j.
Log4j is the most popular Java logging library. It is used in many systems, including web applications, cloud platforms and email services. The Log4j library is embedded in every Internet application or service we know, including Amazon, Twitter, and Microsoft.
Due to the ubiquity of the Log4j library, the difficulty of manually fixing it, and the ease with which Log4Shell is used, the impact of vulnerabilities could be felt for years to come. Not surprisingly, it has been assigned the highest possible risk score – an intensity of 10.
Meanwhile, thousands of attempts to exploit this vulnerability were recorded just hours after it was released. This is certainly not uncommon because bad actors often want to exploit a newly revealed flaw before it can be massively remedied. Although in this case, the widespread use of Log4j and the fact that many companies do not know that part of their network implies that cybercriminals may have an unusually long window to try and maximize errors.
Users and administrators are requested to immediately apply mitigation controls, including the Log4j upgrade.
DHS announces cybersecurity bug bounty program
The US Department of Homeland Security has launched a bug bounty program to help identify and correct cybersecurity vulnerabilities in selected external-oriented DHS systems. First unveiled by the DHS Secretary at the Bloomberg Technology Summit, the ‘Hack DHS’ program will pay between $ 500 and 000 5000 depending on the severity of the vulnerability.
Unlike regular bounty programs that are open to all, participating researchers will be verified first before being invited to access the DHS system. Hack the DHS is based on the success of Hack the Pentagon, a pioneering federal program launched in 2016 that found more than 7,000 security loopholes.
Hack the DHS will have three phases, all of which will run until 2022. First, a virtual assessment where hackers are invited to analyze the DHS system. Second, a live hacking event. Third, vulnerability identification, review, and planning for future bounty programs. The program will be governed by the rules set by DHS’s CISA so that participants have to disclose all the information they have discovered which can be used to reduce and correct vulnerabilities they find.
The goal of the program will not only be the basis for future bug bounty plans but also serve as a blueprint that government agencies can use to strengthen their cybersecurity resilience.