New version to be released 1st November. Organisations should act now to track down OpenSSL 3.0.x in their infrastructure, warns Sonatype
The newly disclosed RCE bug stems from the insecure implementation of Commons Text's variable interpolation feature, but it is hard to exploit
Initial analysis indicates that the bug may not be as severe as Log4Shell
Hackers exploited vulnerabilities in internet-facing web applications to infect systems
After successfully exploiting the bug, they can run malicious PowerShell commands, install backdoors, and steal credentials from infected machines
It's all about knowing what you have, how the software is interconnected and then getting boots on the ground, says SNHU's endpoint team
All H2 users should upgrade to the newest version 2.0.206 which is patched for the flaw
Threat actors can use a two-stage attack to establish a presence on affected networks
Multiple threat groups are currently leveraging Log4j bugs in their operations
'High severity' bug fixed is an uncontrolled recursion flaw