NASA’s Mars Helicopter Apparently Has the Log4j Security Flaw

[Elderberry]

The Byte by Abby Lee Hood 12/16/2021

What's really going on here?

Could the Ingenuity Mars Helicopter be hacked? A recent NASA announcement makes us think there’s the slimmest of chances.

In a new NASA press release celebrating an Ingenuity Mars Helicopter flight time milestone, the agency said that on Dec. 5, toward the end of its flight, the team lost some connections with the rotorcraft. The release said enough data was transmitted to Earth via Perseverance — the rover the helicopter accompanied into space  — to determine a healthy helicopter on the red planet’s surface, but they couldn’t yet declare a successful mission.

“The rotorcraft’s status after the Dec. 5 flight was previously unconfirmed due to an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight,” NASA’s press release said.

That incident could be because of the Log4j bug, according to the Register. Back in June, the official account for Apache Software Foundation tweeted that the the Mars 2020 Helicopter mission is powered by Apache Log4j.

More: https://futurism.com/the-byte/mars-helicopter-log4j-flaw

[Elderberry]

Log4J and Internet Castles Made of Sand

Lawrence Person's BattleSwarm Blog

https://www.battleswarmblog.com/?p=50022

If you work outside of a tech company, chances are you’ve spent this week primarily concerned with getting ready for Christmas. If you work inside a tech company, there’s a significant chance your company spent much of this week patching a critical vulnerability in an open source Java logging library called Log4J.

Here’s a non-technical explanation of the problem:

    It’s a vulnerability that was discovered in a piece of free, open source software called log4j. This software is used by thousands of websites and applications, to perform mundane functions most people don’t think about, such as logging information for use by that website’s developers, for debugging and other purposes.

    Every web application needs functionality like this, and as a result, the use of log4j is ubiquitous worldwide. Unfortunately, it turns out log4j has a previously undiscovered security vulnerability where data sent to it through that website — if it contains a special sequence of characters — results in log4j automatically fetching additional software from an external website and running it. If a cyberattacker exploits this, they can make the server that is running log4j run any software they want — including software that can completely take over that server. This is known as a Remote Code Execution (RCE) attack.

To use a technical phrase, this is Really Bad.

    The net result is that, left unaddressed, cyberattackers right now can completely take over thousands of websites and online applications, allowing them to steal money, data, and access. The security community has been completely focused on this vulnerability for the past two days, and updating servers running log4j as quickly as possible to protect against this vulnerability.

    The good news is that mitigations are relatively easy to implement. The bad news is that left unmitigated, the vulnerability is extremely easy to exploit. iCloud, Minecraft, Baidu, and many other sites have been confirmed to be vulnerable so far, and you’ll likely hear more about many other sites being vulnerable in the coming days.

[Kamaji]

Wow. 

[Elderberry]

Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability

The Hacker news by Ravie Lakshmanan December 18, 2021

https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html

The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack.

Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," the ASF explained in a revised advisory. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process."

I've been noticing that my VPN program has been having daily updates.