|
Rust Martialis posted:Did the image fail to convey itself? Does the Silent Hill wiki run on Java or something?
|
#
?
Dec 17, 2021 10:47
|
|
|
|
| # ? Jun 11, 2024 19:57 |
|
|
evil_bunnY posted:2.16 is apparently still problematic LMBO 2.16.0 should have deleted the lookup-placeholders-in-log-strings code, and also have disabled JNDI by default. Is it still vulnerable in some way? Google doesn't turn up anything for me about 2.16 still being vulnerable, just the 2.15 released last week.
|
|
#
?
Dec 17, 2021 13:52
|
|
|
evil_bunnY posted:2.16 is apparently still problematic LMBO source?? I am going to literally be lynched by developers if true.
|
|
#
?
Dec 17, 2021 14:23
|
|
|
Martytoof posted:source?? Sounds like you're having a rough time. Want to work with me as a consultant instead?
|
|
#
?
Dec 17, 2021 14:25
|
|
|
I'm seriously wondering if mid 40s is a good time to learn a trade.
|
|
#
?
Dec 17, 2021 14:28
|
|
|
Come to the dark side and
|
|
#
?
Dec 17, 2021 14:31
|
|
|
Esran posted:2.16.0 should have deleted the lookup-placeholders-in-log-strings code, and also have disabled JNDI by default. Is it still vulnerable in some way? Google doesn't turn up anything for me about 2.16 still being vulnerable, just the 2.15 released last week. I saw people on Twitter posting about it but the only thing I could find was some PR about how all the docs are bad and don't tell people that untrusted input is dangerous. which like, fine, they probably are bad! but that's not really what I care about in this context. did anyone find other reasons for 2.16 to be considered bad?
|
|
#
?
Dec 17, 2021 14:39
|
|
|
evil_bunnY posted:2.16 is apparently still problematic LMBO Where did you read this? I need to schedule some extra PTO if true.
|
|
#
?
Dec 17, 2021 14:39
|
|
|
2.16 is bad for the following reason: - it's still log4j
|
|
#
?
Dec 17, 2021 14:40
|
|
|
Esran posted:2.16.0 should have deleted the lookup-placeholders-in-log-strings code, and also have disabled JNDI by default. Is it still vulnerable in some way? Google doesn't turn up anything for me about 2.16 still being vulnerable, just the 2.15 released last week.
|
|
#
?
Dec 17, 2021 14:57
|
|
|
You almost gave me a loving heart attack. I just got everything patched and was planning on starting my 2 week vacation at noon today. Jerk
|
|
#
?
Dec 17, 2021 15:02
|
|
|
Sorry!!
|
|
#
?
Dec 17, 2021 15:05
|
|
|
lmao we're all running on caffeine and no sleep so no harm no foul but yeah I also had a heart attack -- like literally my face sank
|
|
#
?
Dec 17, 2021 15:06
|
|
|
At this point even if there was another round, that shits staying for a while. Between the exhaustion from this past round and the upcoming holidays, I don't think anyone has any time or energy left.
|
|
#
?
Dec 17, 2021 15:07
|
|
|
Yeah exactly. That's why I pivoted from software currency to REMOVE THE loving CLASS where we have that option Not sure how that works for vendor garbage and where it affects support SLAs where you start removing code lol ngl I kind of want to proactively pull the class from 2.16 too lol
|
|
#
?
Dec 17, 2021 15:10
|
|
|
Internet Explorer posted:At this point even if there was another round, that shits staying for a while. Between the exhaustion from this past round and the upcoming holidays, I don't think anyone has any time or energy left.
|
|
#
?
Dec 17, 2021 15:10
|
|
|
alright. 2.15 DOS has been upgraded to RCE. https://logging.apache.org/log4j/2.x/security.html 2.16 now has a DOS found in it.
|
|
#
?
Dec 17, 2021 15:42
|
|
|
hahahahha
|
|
#
?
Dec 17, 2021 16:00
|
|
|
Jowj posted:alright. 2.15 DOS has been upgraded to RCE. Is it? I think that's the original CVE. Or am I not reading that page correctly?
|
|
#
?
Dec 17, 2021 16:01
|
|
|
I don't see any vulnerability listed for 2.16 on that page?
|
|
#
?
Dec 17, 2021 16:03
|
|
|
Esran posted:I don't see any vulnerability listed for 2.16 on that page? Same. Quit trying to give me heart attacks.
|
|
#
?
Dec 17, 2021 16:06
|
|
|
Can we please cite a source if we're saying lol look at this thing that just happened, even if it's some dumb tweet  e: not anyone specific but just in general lol
|
|
#
?
Dec 17, 2021 16:23
|
|
|
https://issues.apache.org/jira/browse/LOG4J2-3230 Certain strings can cause infinite recursion Affects Version/s: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1, 2.15.0, 2.16.0 Fix Version/s: 2.17.0 Description If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash: [censored to avoid cloudflare blocking me from SA again]. hopefully this bug report is bad/it's easily fixed because lol
|
|
#
?
Dec 17, 2021 16:49
|
|
|
|
|
#
?
Dec 17, 2021 17:16
|
|
|
Malloc Voidstar posted:hopefully this bug report is bad/it's easily fixed because lol
|
|
#
?
Dec 17, 2021 17:24
|
|
|
Just turn it all off and come back to it Jan 3rd
|
|
#
?
Dec 17, 2021 17:32
|
|
|
Proud Christian Mom posted:Just turn it all off and come back to it Jan 3rd
|
|
#
?
Dec 17, 2021 17:34
|
|
|
Going by the comments on that issue, it sounds like it only causes a crash (on 2.16) if the bad string is part of the appender config, not if the bad string is simply logged, i.e. the attacker has to get that string into the logging config somehow. Hopefully that's the case, if so that's not too serious. Edit: But also why is their string substitution applied recursively, that seems like a weird feature to have.
|
|
#
?
Dec 17, 2021 17:38
|
|
|
Esran posted:that seems like a weird feature to have. log4j 2: that seems like a weird feature to have
|
|
#
?
Dec 17, 2021 17:42
|
|
|
This is the vuln that never ends, it just goes round and round my friends
|
|
#
?
Dec 17, 2021 18:14
|
|
|
Cup Runneth Over posted:This is the vuln that never ends, it just goes round and round my friends Someone logged it without knowing what {itwas}
|
|
#
?
Dec 17, 2021 18:20
|
|
|
Esran posted:Edit: But also why is their string substitution applied recursively, that seems like a weird feature to have. The PS3's standard library printf() did this, for some reason. We couldn't ship games with printf() enabled (they checked symbols), so it didn't matter for shipping, but I ran into an issue printing UE3 level hashes that could have % in them, which means they could have %n in them, which means they could write to some arbitrary address
|
|
#
?
Dec 17, 2021 18:23
|
|
|
KillHour posted:Come to the dark side and
|
|
#
?
Dec 17, 2021 19:17
|
|
|
Proud Christian Mom posted:Just turn it all off and come back to it Jan 3rd It is inevitable that there will eventually be found an exploit so bad that it's cheaper to just not do any business for a couple weeks.
|
|
#
?
Dec 17, 2021 19:45
|
|
|
https://issues.apache.org/jira/browse/LOG4J2-3230
|
|
#
?
Dec 17, 2021 19:52
|
|
|
Far be it for me to poopoo on the proud tradition of Kramering into threads, and while I know you mean well, I'd invite you to look about 10 posts prior, on this very page.
|
|
#
?
Dec 17, 2021 19:59
|
|
|
Apologies, for I am tired
|
|
#
?
Dec 17, 2021 20:02
|
|
|
Rooney McNibnug posted:Apologies, for I am tired  I didn't mean to imply that you should absolutely under no circumstances do something like that, I'm not the dad of you or anything.
|
|
#
?
Dec 17, 2021 20:04
|
|
|
BlankSystemDaemon posted:I'm not the dad of you or anything. Maybe not but I'm my own grandpa.
|
|
#
?
Dec 17, 2021 20:08
|
|
|
|
| # ? Jun 11, 2024 19:57 |
|
|
Rooney McNibnug posted:Apologies, for I am tired i told my lady the other day that I haven't been this tired since I was a teen staying up 3 days I play quake, I am beaaaaat I hope your poo poo is almost done and you get to nap soon ✨
|
|
#
?
Dec 17, 2021 20:19
|
|