SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Critical Apache Log4j vulnerability being exploited in the wild
Description: Defenders across the security community are pushing to address CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. The vulnerability affects a widely used Java logging library that many large organizations may have in their environment. So far, major targets have included Apple and the popular video game "Minecraft." This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. Apache has released a new update for Log4j, version 2.16.0. While the previous release (2.15.0) removed the ability to resolve lookups and addressed issues to mitigate CVE-2021-44228, this release disables JNDI by default and removes support for message lookups. Please refer to the Mitigations section for more details.
Snort SIDs: 58722 - 58744, 58751
Snort 3 SIDs: 300055 - 300058
ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1, Java.Exploit.CVE_2021_44228-9914601-1, Java.Exploit.CVE_2021_44228-9914600-2, Java.Exploit.CVE_2021_44228-9914601-4 and Java.Exploit.CVE_2021_44228-9915330-0
Title: Microsoft issues patches for 80 vulnerabilities as part of December Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 80 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month have been actively exploited in the wild, the first that’s been the case in several months, though four have already been publicly disclosed. December’s security update features five critical vulnerabilities, with the remaining being considered “important.” The most serious of the issues is CVE-2021-43215, a memory corruption vulnerability that could lead to remote code execution in iSNS Server. The iSNS protocol interacts with iSNS servers and iSNS clients, which manages a server that allows network users to query an iSNS database. An attacker could exploit this vulnerability by sending a specially crafted request to an iSNS Server. This vulnerability was assigned a severity score of 9.8 out of 10.
Snort SIDs: 58752 - 58757, 58635 and 58636