How promptly do you respond to severe zero-day security vulnerabilities?

[MichaelCorfman]

Less than a week ago, on December 9th, security researchers discovered a flaw in the software library Log4j, a widely used software library estimated to have over 100 million instances globally. The flaw has been ranked 10 out of 10 on the Common Vulnerability Scoring System (CVSS) due to the potential impact it might have when exploited by hackers.

Details are provided in the National Vulnerability Database (NVD) under the CVE dictionary entry CVE-2021-44228 initially published on 10 December 2021. According to an article published on Wired, The Log4J Vulnerability Will Haunt the Internet for Years.

Already system administrators and security professionals are scrambling to protect their systems. The servers we operate, including those used for the GPWA, underwent emergency updates and reboots to address this new zero-day vulnerability this morning.

For today's poll I ask about your response to vulnerabilities such as this. How quickly do you assess and respond to serious threats like Log4J? Do you research and respond right away? Do you wait for updates to be provided by your software providers and install them right away? Or do you wait and apply updates for issues like this well after they are available by your software providers? Or do you view that handling vulnerabilities like this is outside the scope of what you do?

Michael

[universal4]

Here are a few more resources for those that might be looking for more information on determining if there servers are vulnerable.

Tech Republic has a pretty straight forward explanation:
How to test if your Linux server is vulnerable to Log4j

Here is zdnet's article with a bit of background also
https://www.zdnet.com/article/log4j-...tect-yourself/

Since Debian is my preferred choice of Linux, I checked the update date and their fix was issued on the 11th. I assume RedHat likely had their ready by then and guessing Ubuntu was most likely by then or shortly after Debian's. I did not look to see the others.

Main take away I think for most to consider are for checking installs that use Apache and checking if the Log4j is in use and the version. The vulnerability exists in Log4j prior to version 2.15.0 .

Rick
Universal4

[universal4]

I have been thinking about this poll a bit.

Although this particular threat for me personally was something I felt should get some immediate attention, and I can understand how others could take a more relaxed approach since they rely on their web hosts or server tech's to safeguard against it, the poll itself asks a very important question.

For me any time I see an announcement of a zero day attack or vulnerability, I usually try and at least look to see what kind of issue it is or can cause.

I am actually a little less worried about issues that affect desktops and workstations, however one must always stay vigilant and aware of risks and to take care to stay protected.

For desktop type of warnings I usually immediately run an antivirus update just in case a new patch or fix is out and I monitor for windows updates as well in case an update is released to address the concern.

Although this particular zero day security warning may not have affected you, be sure to not become complacent, the next one might.

Rick
Universal4