close
close

IT Security: Linux, MacOS Alert gets a replacement

As BSI has assessed, an IT security alert has replaced a number of identified Logback vulnerabilities. You can learn the outline of the security hole here, along with the latest updates and details about the affected Linux, MacOS

Federal workplace for Security in Information Technology (BSI) printed a replacement on May 16, 2024 for a login security issue identified on December 3, 2023. The security problem affects Linux, MacOS

The latest vendor suggestions for updates, fixes, and security patches for this vulnerability can be found here: IBM Security Bulletin 7153639 (As of May 17, 2024). Some useful resources can be found later in this article.

Fallback Safety Warning – Danger: Excessive

Risk phase: 3 (excessive)
CVSS baseline score: 8.6
CVSS preliminary rating: 7.5
Remote management: Yes

The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop programs. The common CVSS allows to match potential or precise security risks, mainly based on numerous standards, for the purpose of prioritizing countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to determine the severity of the vulnerability. The Basic Score evaluates the need for an attack (along with authentication, complexity, privileges, consumer interaction) and its outcomes. Temporal scores also take into account changes over time within the hazard scenario. According to CVSS, the likelihood of the vulnerability discussed here is rated as “excessive” with a base value of 8.6.

Logback Bug: A vulnerability allows a Denial of Service

Logback follows the favorite log4j challenge and provides a Java logging API.

A distant, unknown attacker could exploit a vulnerability in Logback to trigger a denial-of-service condition.

Vulnerabilities are recognized on the basis of a CVE ID (Common Vulnerabilities and Exposures). CVE-2023-6378 on the market.

Systems affected by the logback vulnerability, at a glance

Control programs
Linux, MacOS

Products
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
IBM Spectrum Protect 8.1 (cpe:/a:ibm:spectrum_protect)
Open Source Logback Open Source Logback VMware Tanzu Spring Cloud Dataflow Atlassian Confluence Atlassian Confluence Atlassian Confluence Open Source Camunda Open Source Camunda Open Source Camunda Open Source Camunda Atlassian Confluence

General steps to address IT security gaps

  1. Users of affected programs should stay informed. When security holes are identified, manufacturers must quickly fix them by applying a patch or a workaround. When new security updates are found, you can set them up immediately.
  2. For details, see the sources listed in the next section. Usually this includes further details about the latest model of the software program in question and providing security patches or efficiency suggestions.
  3. If you have any questions or concerns, please contact your responsible administrator. IT security managers should investigate every time a manufacturing company makes a brand new security replacement available.

Resources for updates, patches, and fixes

Here you will see some hyperlinks detailing bug reviews, security fixes and workarounds.

IBM Security Bulletin 7153639 dated 05-17-2024 (16.05.2024)
For additional information, see:

IBM security bulletin (24.03.2024)
For additional information, see:

Atlassian Security Bulletin February 2024 (20.02.2024)
For additional information, see:

Camunda Security Notices (12.02.2024)
For additional information, see:

Red Hat Security Advisory RHSA-2024:0793 dated 2024-02-12 (12.02.2024)
For additional information, see:

GitHub Security Advisory GHSA-VMQ6-5M68-F53M dated 2024-01-12 (11.01.2024)
For additional information, see:

NIST Vulnerability Database dated 12/03/2023 (03.12.2023)
For additional information, see:

logback Advice from 2023-12-03 (03.12.2023)
For additional information, see:

Historical past version of this security alert

This is model 6 of this Logback IT security discovery. This document will be updated as additional updates are introduced. You can view changes or additions to this model’s historical past.

December 3, 2023 – First model
01/11/2024 – New open supply updates have been added
02/12/2024 – New updates from Red Hat have been added
02/20/2024 – New updates added
2024-03-24 – New updates from IBM added
May 16, 2024 – New updates from IBM added

+++ Editorial notice: This document is based on current BSI information and will be kept up to date via a data-driven method depending on the status of the alert. Suggestions and feedback are welcome at (email protected). +++

comply with News.de you are here Facebook, Tweet, Pinterest again YouTube? Here you will see exciting information, available videos and a direct line to the editors.

kns/roj/information.de