![]() ![]() Most serious researchers hate this kind of behavior as it dilutes the seriousness of future warnings, especially when the house is actually on fire."Ī newly patched version (1.10.0) of the software remediates the danger, and Erick Galinkin of Rapid7 advised companies to be on the lookout for follow-on advisories from vendors they rely on who may also use vulnerable implementations of the library, as they will also likely put out patches as well. When that happens in any organization, frequently that's a recipe for a bad result. That needs to be kept in mind. This is yet another circumstance where marketing and branding has gotten ahead of reality. “People use naming to create buzz and gain individual recognition. “Every organization should take vulnerabilities with a grain of salt until they understand how it affects their environment,” Fisher said. spread in an organization) so they can adequately prioritize remediation. Fisher said with any vulnerability an organization needs to understand a few aspects, its severity, its exploitability, and its velocity (e.g. Geoffrey Fisher, senior director, integration strategy at Tanium, said vulnerability names are simply just that: names and branding. Watergate to Deflategate), said Burland. “On the plus side, if ubiquitous use of the “4Shell” suffix garners space in high-profile publications such as Forbes or the Wall Street Journal prompting more questions from business leaders then it will have served as a great user awareness tool,” Burland said. “Experienced cybersecurity teams won’t panic or alter their processes because of a nickname,” said Craig Burland, chief information security officer at Inversion6. “They’ll evaluate the vulnerability on its technical merits and react accordingly. Good cybersecurity leaders will help people look beyond the name and hopefully take any interest as an opportunity to educate people about cyber risk.”īurland added that it’s futile to try and legislate the nicknames of vulnerabilities. Use of “4Shell” may trend for a while, gathering more clicks and reposts, but it’s unlikely to stick around like “gate” spanning generations and covering everything from politics to sports (e.g. So given that the press will run with a story like this, how can security teams hold down the hysteria and sort out what’s really happening in each specific case? ![]() “However, given what most folks remember about Log4Shell is the extreme disruption and difficulty it caused, I think it’s fair to say that it’s use here was premature.” “Referring to the Apache vulnerability as “4Shell” can be rationalized through the few similarities it has in that it’s a library, open-sourced, and it’s an input interpretation issue causing remote code recall,” Ellis said. Some headlines even proclaimed that this was “ like Log4Shell all over again.” To be fair, much of the chatter on Twitter was mixed, with enough people offering context versus those raising alarm bells.Ĭasey Ellis, founder and CTO at Bugcrowd, said there’s a phrase he uses every so often that’s a play on a fairly severe type of vulnerability: Remote Press Execution: when the press and social media respond to a vulnerability in a way that’s completely unrelated to the impact of the vulnerability itself. While the most fundamental use-cases of Log4j were vulnerable in Log4Shell, this vulnerability requires an implementation pattern that may not affect all of its users." "Another major difference is in implementation. we must point out that the vulnerable package and functions is not as widely used in the wild," write Checkmarx researchers Yaniv Nizry and Miguel Correira. While that Apache vulnerability was exploitable in nearly ever application, this flaw can only be exploited by using Apache Commons Text in a specific way to expose the attack surface. In blog posts by Rapid7 and Checkmarx, researchers made clear that while CVE-2022-42889 should still be considered severe, it's not on the same level as Log4Shell. News this week of the critical Apache vulnerability now known as "Text4Shell" raised great concern among some security pros that another Log4Shell event was at hand, but it turned out those fears were overblown. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |