www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/
Submission: On January 12 via api from IN — Scanned from DE
Submission: On January 12 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>POST https://account.theregister.com/register/
<form action="https://account.theregister.com/register/" method="POST" id="aug_signup_link_0">
<h2 class="product_title">Get our <strong>weekly</strong> newsletter</h2><input type="hidden" name="thereg_weekly_digest" value="1"><input type="hidden" name="product" value="quick_weekly_newsletter"><input type="hidden" name="forename"
value="The Register"><input type="hidden" name="surname" value="Subscriber"><input type="hidden" name="g-recaptcha-response" value=""><input type="hidden" name="recaptcha" value="1"><input type="hidden" name="country" value="se"><input
type="hidden" name="submit" value="1">
<div class="valign"><input type="email" name="email" placeholder="Enter Email"
value=""><a class="bold quick_signup_augmentable upg yes_js reg_btn_secondary" data-product="quick_weekly_newsletter" data-pre-email-content="<h2 class=product_title>Get our <strong>Weekly</strong> newsletter</h2>" data-country="se" data-action="https://account.theregister.com/register/" href="https://account.theregister.com/register/?product=quick_weekly_newsletter">Subscribe</a>
</div>
</form>POST https://account.theregister.com/register/
<form action="https://account.theregister.com/register/" method="POST" id="aug_signup_link_1"><input type="hidden" name="thereg_daily_headlines" value="1"><input type="hidden" name="product" value="quick_daily_newsletter"><input type="hidden"
name="forename" value="The Register"><input type="hidden" name="surname" value="Subscriber"><input type="hidden" name="g-recaptcha-response" value=""><input type="hidden" name="recaptcha" value="1"><input type="hidden" name="country"
value="se"><input type="hidden" name="submit" value="1"><input type="email" name="email" placeholder="Your Work Email Address" value=""><a class="reg_btn_secondary subscribe_newsletter_button quick_signup_augmentable" data-product="quick_daily_newsletter" data-country="se" data-action="https://account.theregister.com/register/" href="https://account.theregister.com/register/?product=thereg_daily_newsletter">
Subscribe
</a></form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customise Settings Sign in TOPICS Security Off-Prem All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem All On-PremServersStorageNetworksHPCPersonal Tech (X) Software All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Vendor Voice All Vendor VoiceAdobeAmazon Web Services (AWS) MigrationGoogle CloudGoogle Cloud's ApigeeGoogle WorkspaceLenovoNutanixRapid7Red hatSophosVeeamVirtru (X) RESOURCES * Whitepapers * Webinars * Newsletters SITUATION PUBLISHING * The Next Platform * Devclass * Blocks and Files GET OUR WEEKLY NEWSLETTER Subscribe SECURITY APACHE TAKES OFF, NUKES INSECURE FEATURE AT THE HEART OF LOG4J FROM ORBIT WITH V2.16 NOW OPEN-SOURCE LOGGING LIBRARY'S JNDI DISABLED ENTIRELY BY DEFAULT, MESSAGE LOOKUPS REMOVED Gareth Corfield Tue 14 Dec 2021 // 23:30 UTC 15 -------------------------------------------------------------------------------- 15 Copy Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet. That release closed the hole (CVE-2021-44228) by disabling by default the Java library's primarily exploitable functionality: JNDI message lookups. Now version 2.16 is out, and it disables all JNDI support by default, and removes message lookup handling entirely for good measure, hopefully finally preventing further exploitation. This is needed because version 2.15 is still exploitable in certain non-default configurations, and this moderate-severity oversight has earned its own bug ID: CVE-2021-45046. Crucially, this move is defense in depth: Apache conceded JNDI "has significant security issues," so it's just deactivated it by default with a fresh release. Version 2.15 was most probably enough to protect you from attack, version 2.16 makes it certain. It all comes as network observers say they're seeing tens of thousands of attempts per minute to exploit internet systems via the logging library, with miscreants using the remote-code-execution hole to steal cloud infrastructure credentials, and deploy cryptocoin miners and ransomware, at least. QUICK LINKS * The logging library is commonly used by Java code and is buried in tons of software, including some security defense products. Some useful commands for finding evidence of Log4j deployments on Linux boxes are listed here * Check Point Research says it's seen at least 60 variants of exploit code used against vulnerable machines * How the flaw was found and reported, and the scramble to patch it in time as word spread of the hole * The US government's hub of information about the vulnerability and what to do next * The Netherlands' National Cyber Security Center's incredible collection of software and other products affected by Log4Shell that will need patching or protecting as well as indicators of compromise and other info * El Reg's coverage of Log4Shell In its latest release notes for Log4j 2.x, the Apache Foundation said: "Dealing with CVE-2021-44228 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it." Thus version 2.16.0 has shipped with JNDI, the Java Naming and Directory Interface, switched off. JNDI is the API that was explosively discovered to be exploitable in Log4j last week. It's supported by Log4j so that objects can be fetched from remote servers to use in log entries. With JNDI enabled, Log4j could be tricked into fetching Java code from an attacker-controlled server and blindly executing it, compromising the device. To achieve this, the attacker would need to feed some specially crafted text in, say, an app account username or site search query, that when logged by Log4j would trigger the remote code execution. According to the Apache team: From version 2.16.0, the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. That basically means if you want to use JNDI lookups, you need to take the safeties off your software stack. NCC Group's Jeff Dileo mused in a blog post: "In reality, the JNDI stuff is regrettably more of an 'enterprise' feature than one that developers would just randomly put in if left to their own devices. Enterprise Java is all about antipatterns that invoke code in roundabout ways to the point of obfuscation, and supporting ever more dynamic ways to integrate weird protocols like RMI to load and invoke remote code dynamically in weird ways." Essentially, if you're using (or deploying) Log4j 2.x versions 2.14 or below, upgrade to 2.16, and if you're already on 2.15, consider 2.16 for peace of mind: the JNDI code is not known to be terribly secure. EXPLOITATION PROBABLY FROM CRIMS RATHER THAN NATION STATES Britain's National Cyber Security Centre earlier today said it wasn't seeing much obviously malicious web traffic linked to Log4j other than scanning to identify vulnerable systems, though as the day has worn on, infosec folk say attacks are ramping up. Bitdefender claimed to have seen a ransomware raid on Windows machines involving a Log4j exploit, dubbing the ransomware Khonsari. * Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility * Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source? * Log4j RCE latest: In case you hadn't noticed, this is Really Very Bad, exploited in the wild, needs urgent patching * Timekeeping biz Kronos hit by ransomware and warns customers to engage biz continuity plans Kaspersky Lab published some findings from its telemetry suggesting most exploit attempts were being launched from Russian IP addresses, which in itself doesn't mean anything yet – though it chimes with previously reported information from Bitdefender. For now, developers need to roll out their application and server software with patched versions of Log4j, and organisations need to not only install them but also check to see if they've already been pwned. ® Get our Tech Resources Share Copy 15 Comments SIMILAR TOPICS * Apache Software Foundation * Cybersecurity * Java * Log4j * Security BROADER TOPICS * Programming Language NARROWER TOPICS * Apache HTTP Server * Black Hat * Cybercrime * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Encryption * Exploit * Hacker * Hacking * Identity Theft * Infosec * NCSC * Palo Alto Networks * Password * Phishing * Ransomware * REvil * Spamming * Spyware * Surveillance * Trojan * Vulnerability * Wannacry Corrections Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE * A SLICE IS BETTER THAN NONE: APPLE GIVES IN, ALLOWS THIRD-PARTY APP BILLING SYSTEMS IN KOREA, PER LOCAL LAW Company follows in the footsteps of its buddy Google Laura Dobberstein Wed 12 Jan 2022 // 13:15 UTC Apple has finally caved to Korea's telecommunication regulator and agreed to allow third-party in-app billing systems in South Korea thus complying with a local law. The iGiant told The Register: Continue reading * UK COMPETITION WATCHDOG CLOSES THE COMMENT BOOK ON MICROSOFT'S NUANCE MERGER European Commission gives an unconditional green light, but Blighty needs a bit more time Richard Speed Wed 12 Jan 2022 // 12:32 UTC If you wanted to speak your brains have your say on Microsoft's acquisition of Nuance, the moment has passed. In the UK at any rate. The Competition and Markets Authority (CMA) has announced an inquiry into the merger. The current statutory deadline for a decision following Phase 1 is 9 March, at which point the CMA might go deeper. Or it might decide earlier to let the acquisition proceed. The CMA is pondering whether Microsoft snapping up Nuance would lessen competition for goods and services within the UK. Its invitation for comment kicked off on 13 December last year and closed this week. The launch of the merger inquiry is the next step in the process. Continue reading * NORTH KOREA SAYS IT'S LAUNCHED A THIRD HYPERSONIC MISSILE, THIS TIME REACHING MACH 10 South Korea piqued as FAA grounds west coast aircraft Laura Dobberstein Wed 12 Jan 2022 // 11:43 UTC 4 North Korean state-sponsored media has said it launched a third hypersonic missile on Tuesday, hitting a target at sea 1,000km (621 miles) away. According to news agency KCNA, President Kim Jong Un attended the test-fire. "Toward daybreak, the Juche weapon representing the power of the DPRK roared to soar into sky, brightening the dawning sky and leaving behind it a column of fire, under the supervision of Kim Jong Un," reported KCNA's Pyongyang Times. The publication claimed the hypersonic missile programme is an effort to bolster the country's war deterrent and this test-fire was a final verification of weapon system's technical specifications. The news outlet said the missile "made glide jump flight from 600km area before making a 240km corkscrew manoeuvring from the initial launch azimuth to the target azimuth" with "superior manoeuvrability." Continue reading * INFO-SATURATED TECHIE BUILDS BUG ALERT SERVICE THAT PHONES YOU TO WARN OF NEW VULNS Or SMSes, if the idea of midnight robot calls worries you Gareth Corfield Wed 12 Jan 2022 // 11:02 UTC 5 An infosec pro fed up of having to follow tedious Twitter accounts to stay on top of cybersecurity developments has set up a website that phones you if there's a new vuln you really need to know about. Bugalert, founded by product manager Matt Sullivan, is a crowdsourced venture that he hopes will take the pain out of trying to tell the signal from the noise when security researchers make high-impact vulnerability disclosures. Keeping up with fast-developing situations, such as the Log4j vuln and its iterations, is "extraordinarily overwhelming," he told The Register – and he reckons relying on CVE number assignations is just too slow in this day and age. (It took around a day and a half for the initial Log4j vuln to be given a CVE in November 2021, before an exploit made its way onto Twitter a week later.) Continue reading * LINUX MINT 20.3 APPEARS – NOW WITH MORE MOZILLA FLAVOR: WHY THIS DISTRO SWITCHED FIREFOX DEFAULTS BACK TO GOOGLE Oh, Snap Liam Proven in Prague Wed 12 Jan 2022 // 10:14 UTC 18 The Linux Mint distro has been busy. Not only has it pushed out release 20.3, it's also announced a deal with Mozilla, meaning vanilla Mozilla versions of Firefox and Thunderbird. It's very hard to estimate the relative popularity of Linux distributions. Aside from a couple of paid enterprise distros, they're all free downloads without serial numbers, activation nor any other tracking mechanisms. One of the only mechanisms is the Distrowatch popularity page, although vendors dispute its accuracy. Saying that, Mint is in third or fourth place, outranking its own upstream distro, Ubuntu, which comes sixth. Each major version of Mint is based upon the long-term support version of Ubuntu: Mint 20 is based on Ubuntu 20.04. Continue reading * DEV'S POSTGRESQL EXPERIMENT PROBES POSSIBILITY OF ZERO-DOWNTIME SCHEMA MIGRATION It has potential, says one expert Lindsay Clark Wed 12 Jan 2022 // 09:29 UTC 2 A Swedish developer has published code that promises to avoid application downtime during PostgreSQL schema migrations. Using "views" in the popular open-source database to encapsulate tables and create a versioned interface, Fabian Lindfors, a final year MSc student in computer science at Lund University, has produced a tool that he hopes can automate zero-downtime migrations. Available on GitHub, Reshape is a command-line tool which works with files that define changes to the database schema. Continue reading * OPEN SOURCE ISN'T THE SECURITY PROBLEM – MISUSING IT IS Security is a process, not a product Steven J. Vaughan-Nichols Wed 12 Jan 2022 // 08:30 UTC 16 Opinion We're going to be cleaning up Apache Log4j security problems for months to come, but the real problem isn't that it was open-source software. It's how we track and use open-source code. When security vulnerabilities were found in the extremely popular open-source Apache Log4j logging library, we knew we were in trouble. What we didn't know was just how much trouble we were in. We know now. Just ask the Belgian defence ministry. In this ongoing security disaster, many people blame open source for all our troubles. In the Financial Times (FT), Richard Waters, the newspaper's west coast editor, wrung his hands, saying it's a "little alarming to discover that, more than two decades into the open-source era, glaring security holes sometimes surprise even the experts." Continue reading * MASSIVE RUGBY-BALL-SHAPED PLANET EMERGES FROM SCRUM OF SPACE 'SCOPE SIGHTINGS It was worth a try Katyanna Quach Wed 12 Jan 2022 // 06:23 UTC 20 Just over 1,500 light-years away in the constellation of Hercules there’s a rugby ball-shaped exoplanet orbiting a star. It’s the first time astronomers have been able to detect such an unusual shape of an alien world. Most planets are more or less spherical due to gravitational forces that pull matter equally in from all sides, yet WASP-103b appears to be elongated. The planet is in an orbit close to its host star, and experiences strong tidal forces that appear to have deformed its surface. The object, twice the radius and 1.5 times as massive as Jupiter, whizzes around its star, WASP-103, in less than a day. A team of astronomers were able to detect its shape after recording detailed measurements of 12 of its orbits using ESA’s Cheops space observatory, and comparing them with previous observations from the Hubble Space Telescope and NASA’s Spitzer Space Telescope. Continue reading * CHINA BUILDS 'FREE TRADE DATA PORT' INCLUSIVE OF SUBMARINE CABLE LANDING STATION If the Middle Kingdom lets its data out, Beijing might as well be in control Laura Dobberstein Wed 12 Jan 2022 // 02:49 UTC 7 China has earmarked ¥31.8bn ($5bn) to build the first free trade data port in the nation as it tries to bolster and control information flowing across its borders, the country's state-sponsored media says. Known as the Nansha International Data Free Trade Port, the project basically involves plumbing in a series of undersea cables and network links, building a data center for handling cross-border data, and constructing industrial parks and labs for AI development, telecommunications, and more. Construction of this 450-acre site is due to start in the first half of 2022 and be in operation by the end of 2025. The aim is to control the data flowing in and out of China. Continue reading * MICROSOFT STARTS 2022 WITH BIG BUNDLE FIXES FOR 96 SECURITY BUGS IN ITS SOFTWARE Nothing is certain except death, taxes, and programming errors Thomas Claburn in San Francisco Wed 12 Jan 2022 // 01:14 UTC 2 Patch Tuesday The new year brings the same old chore of shoring up Microsoft software. For its first Patch Tuesday of 2022, Redmond has bestowed 96 new CVEs affecting its Windows products. If you include 24 Chromium CVEs published earlier this month and now addressed in Microsoft's Edge browser, in addition to two CVEs in open source projects (Curl and Libarchive), you get 122 fixes that need to be applied. Affected systems include: Windows and associated components, Edge, Exchange Server, Office and associated components, SharePoint Server, .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). Continue reading * US SENATOR MARCO RUBIO CALLS INTEL COWARDS FOR SCRUBBING REMARKS ABOUT XINJIANG AND APOLOGIZING TO CHINA Was no one else available? No one? Katyanna Quach Wed 12 Jan 2022 // 00:38 UTC 20 US Senator Marco Rubio (R-FL) has blasted Intel for scrubbing any mentions of China's Xinjiang region from an annual letter to its suppliers after Chinese netizens threatened on social media to boycott the US chip behemoth. In an earlier version of the letter, published on Intel’s website on December 23, the semiconductor giant reminded its suppliers to make sure they don’t use any labor nor source any goods or services from Xinjiang due to trade restrictions imposed by “multiple governments.” By that, they mean restrictions placed by the US government, among others, due to what more and more clearly appears to be rampant human-rights abuses against Uyghur Muslims in the region. Continue reading ABOUT US * Who we are * Under the hood * Contact us * Advertise with us MORE CONTENT * Latest News * Popular Stories * Forums * Whitepapers * Webinars SITUATION PUBLISHING * The Next Platform * DevClass * Blocks and Files * Continuous Lifecycle London * M-cubed The Register - Independent news and views for the tech community. Part of Situation Publishing SIGN UP TO OUR DAILY NEWSLETTER Subscribe Biting the hand that feeds IT © 1998–2022 Your Consent Options Cookies Privacy Ts&Cs