|
Internet Explorer posted:I don't have GRANT MOD ACCESS rights. its called account sharing
|
#
?
Dec 15, 2021 05:13
|
|
|
|
| # ? Jun 2, 2024 20:42 |
|
|
The timing of this is amazing. The lull after thanksgiving. Product managers trying to squeeze out last features before end of year change freezes and they go on vacation. So many engineers taking time off. Everyone scrambling, making poor decisions, teams have to patch their own code, teams need support from vendors, people realizing they aren't using a product that's supported anymore and can't be patched. I'm just trying to not get pulled into anyone else's bullshit. The platforms I manage aren't affected. I'm sure software that teams deploy on it are. Not.My.Problem.
|
|
#
?
Dec 15, 2021 05:17
|
|
|
Internet Explorer posted:I don't have GRANT MOD ACCESS rights. The fact that you considered it for the briefest of seconds is probably why you don't.
|
|
#
?
Dec 15, 2021 05:32
|
|
|
You have made a powerful enemy this day.
|
|
#
?
Dec 15, 2021 06:41
|
|
|
I'll never let The Man keep me down! Never! 
|
|
#
?
Dec 15, 2021 06:43
|
|
|
So my initial take is the offending class file is in log4j-core-*.jar, but there's oodles of plain log4j.jar files out there and Nessus tags those and v1 as vulnerable. Customer running scans is demanding we handle v1 as part of 44228 and I am pushing back . We initially ran a script via HPSA crawling thousands of servers for jar files. Day 5 dawns. Still missing patches from major vendors. Off to check vendor websites.
|
|
#
?
Dec 15, 2021 07:36
|
|
|
Rust Martialis posted:So my initial take is the offending class file is in log4j-core-*.jar, but there's oodles of plain log4j.jar files out there and Nessus tags those and v1 as vulnerable. Customer running scans is demanding we handle v1 as part of 44228 and I am pushing back . My client is still 99% running log4j v1 which has been fun
|
|
#
?
Dec 15, 2021 07:38
|
|
|
Is removing that class from your classpath a legit thing? Like … does log4j catch that gracefully? I’m having trouble imagining a case where a chunk of code just goes missing and a java app just goes “welp lol guess we’ll just move right along then”? Or is my imagination just broken after yet another 12+ hour war room bridge? What day is it, even?
|
|
#
?
Dec 15, 2021 07:50
|
|
|
We had at least one instance where a team renamed the log4j jar file, no feedback yet if the app barfed
|
|
#
?
Dec 15, 2021 07:55
|
|
|
Martytoof posted:Is removing that class from your classpath a legit thing? Like … does log4j catch that gracefully? I’m having trouble imagining a case where a chunk of code just goes missing and a java app just goes “welp lol guess we’ll just move right along then”? I'd imagine a lot of these things are implemented in a modular fashion, like step 1 is "load up all the log message transformers present on the classpath" and step 2 is "apply all the loaded log message transformers". So if you delete one of the classes, the only adverse effect is that that particular transformation never gets run.
|
|
#
?
Dec 15, 2021 08:05
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)." Dehumaniiiiize yourseeeeelllllllllf Bonus: "Unfortunately, we have an example that Redhat has used log4j in what is called an "uberjar" where the file name does not directly indicate that there is log4j inside the jar and where the class namespaces have been changed." 
Rust Martialis fucked around with this message at 10:07 on Dec 15, 2021 |
|
#
?
Dec 15, 2021 08:28
|
|
|
Java is a wonderful language
|
|
#
?
Dec 15, 2021 12:10
|
|
|
Write once, test everywhere!
|
|
#
?
Dec 15, 2021 13:26
|
|
|
Rust Martialis posted:Dehumaniiiiize yourseeeeelllllllllf I saw this at 1am on a war room bridge last night and 
|
|
#
?
Dec 15, 2021 15:33
|
|
|
chin up everything sucks posted:My boss sent me a $50 doordash gift card for my hard work. Yay! I have been offered a blanket, or insulated lunch bag I am very tired.
|
|
#
?
Dec 15, 2021 16:03
|
|
|
If anyone finds a script for either shell or PowerShell that can recursively crawl an entire disk, and for each .jar file it sees, list all the class files in it, including any in a jar file *nested* in the jar file, please post a link. Right now some vendors are saying patches next week. The list of vulnerable Oracle and Cisco products is huge. The amount of 1.x in things like SAP is mind bending. Nessus does have local and remote (callback) plugins and you might get try-it licenses.
|
|
#
?
Dec 15, 2021 17:45
|
|
|
Rust Martialis posted:If anyone finds a script for either shell or PowerShell that can recursively crawl an entire disk, and for each .jar file it sees, list all the class files in it, including any in a jar file *nested* in the jar file, please post a link. Was about to ask for the same thing- there's a python script out there, but that only seems to check URLs, and I can't seem to get it to work for internal systems, irritatingly enough. It's this, https://github.com/fullhunt/log4j-scan if you hate yourself enough to python on windows.
|
|
#
?
Dec 15, 2021 17:47
|
|
|
I want something I can pass to the HPSA team to run on every one of thousands of servers.
|
|
#
?
Dec 15, 2021 18:06
|
|
|
My security team is now rushing to deploy Sentinel One on all the linux servers. For years, the official stance was "only windows servers needed it" despite the fact that most of the nasty stuff out there came from java. As someone who saw the effects that the early Sentinel One rollouts on those windows servers, this is for sure going to go perfectly fine if they try to jam this through before the end of the year. What could go wrong? Seriously though, we have some real concerns if we have enough memory overhead on VMWare to even support that org-wide.
|
|
#
?
Dec 15, 2021 18:43
|
|
|
We've patched all our internal developed apps, its all vendor stuff now 
|
|
#
?
Dec 15, 2021 18:45
|
|
|
I was afraid I was going to miss all the fun with my few days off. No vulnerability management utility, no spreadsheet, just random Teams chat and a ticket no one is updating. The current table that was pasted into Teams is missing a bunch of stuff I know is vulnerable. Beautiful, I love it, no notes.
|
|
#
?
Dec 15, 2021 18:49
|
|
|
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1 NSO isn't messing around 
|
|
#
?
Dec 15, 2021 18:51
|
|
|
Ugly hack but it 'works' with bsdtar 3.4.3 on FreeBSD: I created a file foo.class, created a tarfile called foo.jar, then tarred bar.class and foo.jar into bar.jar. Trying to simulate a nested jar file inside a jar file. You can concatenate tar files to list the content, just keep sending it to stdout, alternating x and t commands. pre:> tar xvfO bar.jar | tar xvfO - | tar tvfO - | tar xvfO - | tar tvf -
x bar.class
x foo.jar
x foo.class
then uhh munging itto find
> find . -name "*.jar" -exec sh -c 'tar xvfO "{}" | tar xvfO - | tar tvfO - | tar xvfO - | tar tvf -' \;
x bar.class
x foo.jar
x foo.class
PowerShell script on GitHub https://www.reddit.com/r/PowerShell/comments/resukw/log4shell_scanner_multiserver_massively_parallel/ Anyone know powershell comment oin it? Rust Martialis fucked around with this message at 19:20 on Dec 15, 2021 |
|
#
?
Dec 15, 2021 19:13
|
|
|
Internet Explorer posted:I don't have GRANT MOD ACCESS rights. I feel ya buddy, they took away local admin on my workstation as well  e: Rust Martialis posted:Bonus: Cup Runneth Over posted:Java is a wonderful language A few of our tech documents specifically note that .jar files need to be moved or deleted when they get updated, not just renamed to whatever-old.jar, because in some cases Java will read any .jar file it sees regardless of file name 
Takes No Damage fucked around with this message at 19:37 on Dec 15, 2021 |
|
#
?
Dec 15, 2021 19:30
|
|
|
Sitting in the waiting room at the docs I'm screwing around on my phone and I over hear the following from a woman in her 20's "So many patient portals, good thing I have this note book of usernames and passwords and where they go."
|
|
#
?
Dec 15, 2021 19:41
|
|
|
Defenestrategy posted:Sitting in the waiting room at the docs I'm screwing around on my phone and I over hear the following from a woman in her 20's Still way better than using the same password everywhere.
|
|
#
?
Dec 15, 2021 19:47
|
|
|
spankmeister posted:Still way better than using the same password everywhere. You're assuming they're not reusing?
|
|
#
?
Dec 15, 2021 19:48
|
|
|
Apparently it is pronounced "log forge" and I'm not sure how I feel about that.
|
|
#
?
Dec 15, 2021 19:50
|
|
|
No, its pronounced "Log four J" no matter what those idiots on twitter say.
|
|
#
?
Dec 15, 2021 21:27
|
|
|
I think the correct pronunciation is Log4j.
|
|
#
?
Dec 15, 2021 21:30
|
|
|
Mustache Ride posted:No, its pronounced "Log four J" no matter what those idiots on twitter say. I think they're going for that nordic J like fjord, but that's dumb it's Log Fourjay
|
|
#
?
Dec 15, 2021 21:34
|
|
|
Mustache Ride posted:No, its pronounced "Log four J" no matter what those idiots on twitter say.
|
|
#
?
Dec 15, 2021 21:56
|
|
|
The j is pronounced like the g in gif
|
|
#
?
Dec 15, 2021 22:26
|
|
|
Who's Jay and why are we compromising all our systems just to log for them?
|
|
#
?
Dec 15, 2021 22:26
|
|
|
My username is log4j. Last name Log, first name Jay, 4th of my name.
|
|
#
?
Dec 15, 2021 22:47
|
|
|
Cup Runneth Over posted:Who's Jay and why are we compromising all our systems just to log for them? Now that you mention it, it does sound like a worthy cause to rally around
|
|
#
?
Dec 15, 2021 22:49
|
|
|
Rust Martialis posted:Ugly hack but it 'works' with bsdtar 3.4.3 on FreeBSD: Aren’t jar files zip format rather than tar?
|
|
#
?
Dec 15, 2021 22:58
|
|
|
repiv posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1 That really is terrifying. Unbelievable piece of software.
|
|
#
?
Dec 16, 2021 02:30
|
|
|
repiv posted:https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1 That's just a standard buffer overflooooh. Oh my.
|
|
#
?
Dec 16, 2021 03:26
|
|
|
|
| # ? Jun 2, 2024 20:42 |
|
|
Today is the first day I managed to end a war room bridge before 6pm and I’m so thankful for the brief respite.
|
|
#
?
Dec 16, 2021 04:29
|
|