User Name
Password
AppleNova Forums » Third-Party Products »

Log4j vulnerability in the wild (major bad news)


Register Members List Calendar Search FAQ Posting Guidelines
Log4j vulnerability in the wild (major bad news)
Thread Tools
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-10, 09:22

Ars writeup about it: Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet
Quote:
Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that's used in countless apps, including those used by large enterprise organizations, several websites reported on last Thursday.
So this is a big deal. While it is best known for targeting Minecraft, Log4j is used in A LOT of other application. Heck, the java based map generation tool I used to use required it.

I'm looking through the details to see if there is something I need to patch on the ANMC server for it, but want to be sure many saw this since it will certainly effect more than our ANMC server.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2021-12-10, 09:34

Somewhat confused by the explanations. My understanding is: Java provides JNDI for lookup purposes, and this also used to support LDAP. log4j, in turn, supports loading code at runtime (for plug-in purposes, I presume). Someone figured out that if they trick your log4j code to log an LDAP URL, that in turn coerces (old unpatched versions of) the Java runtime into trying to load that code?

Something in there isn't quite right, is it?
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-10, 14:34

Log4Shell is the new name for the exploit.

Now I'm still trying to figure out how I can secure the ANMC server...
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2021-12-10, 16:17

https://tfun.org/2021/12/10/urgent-a...vulnerability/ has a few details on mitigation.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2021-12-10, 16:20

Also, if you rename an iPhone, you can (could?) exploit Apple's servers. Which, come on, that's funny.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-10, 16:36

Thanks, I'll look through those. I think our server version is in the clear but will have to dig to verify it.

Actually, I just checked and we don't have log4j installed on our MC server. It must only be the non-vanilla servers that are impacted.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-10, 17:52

I'm actually impressed that MS put out a specific guide for mitigating this with Minecraft.

The relevant part for us is that I updated our server to 1.18.1 earlier today so we are golden, server side that is.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
Ryan
Veteran Member
 
Join Date: May 2004
Location: Promise Land of Trustafarians
 
2021-12-10, 20:33

Yeah this ruined my Friday night.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-10, 20:38



Yeah, I messaged some people at work and the COO. I also got to walk away. Professionally it is out of my realm!
  quote
PB PM
Sneaky Punk
 
Join Date: Oct 2005
Location: Vancouver, BC
Send a message via Skype™ to PB PM 
2021-12-13, 10:10

Sounds like this really is a big deal, Revenue Canada (our IRS), took its online service down as of Friday due to “a global security threat”, I can only guess based on the the timing that this vulnerability has something to do with it. I can imagine their IT guys haven’t slept all weekend.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-13, 10:12

Oh yeah, it is huge actually. Some of my coworkers are scrambling right now due to this actually. Thankfully we are a small fish in the pond of the internet relatively speaking. Not that we are immune to a probing bot, but still.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
PB PM
Sneaky Punk
 
Join Date: Oct 2005
Location: Vancouver, BC
Send a message via Skype™ to PB PM 
2021-12-13, 10:15

I know there were some stories last week that huge chunks of Amazon’s server network was down for a while last week, maybe this had something to do with it as well?
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2021-12-13, 10:27

Possibly. I believe they haven't disclosed the reason for the us-east-1 outage yet.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-13, 14:24

Payroll company has fallen, undoubtedly more to come.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-14, 09:21

This looks like a cool way to track/block it if you use nginx.. You also have to install LUA for nginx but they seem to provide all the documents for the install. I haven't tried it but it looks like it is exactly what is needed.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
PB PM
Sneaky Punk
 
Join Date: Oct 2005
Location: Vancouver, BC
Send a message via Skype™ to PB PM 
2021-12-14, 12:13

Wouldn't it be faster just to install the patched version of Logi4 than add other things?
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-14, 13:16

Basically it would be for those situations where log4j is nested deep and you can't directly update it due to dependency hell. Minecraft is running it though you can't touch it. Now in the case of Minecraft it uses custom ports but yet was still vulnerable. IF it were an app that have Nginx running in front of it then you wouldn't have to fight the dependencies or wait for the developer to release a new version of the app with the fix. Instead you block it at the nginx reverse proxy.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
PB PM
Sneaky Punk
 
Join Date: Oct 2005
Location: Vancouver, BC
Send a message via Skype™ to PB PM 
2021-12-14, 14:35

That makes sense. I was just curious since the post makes it sound like that may not actually work to solve the problem. More of a mitigation rather than a solution.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-14, 16:44

This is really cool. Huntress put out a means to test your system if it is vulnerable.

Basically it gives you a UUID and a string to put into the various fields and see if it actually gets to the Huntress servers. Nice way to verify that your server is or isn't safe.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2021-12-14, 17:23

Quote:
This tool will not actually run any code on your systems.
Exactly what someone who will run code on your system would say.

  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-14, 18:07

I know, I know... but they did post it to GitHub.... assuming that is what is actually running on the hosted site.

In my case I played with it after snapshotting my VM. I'm good with it.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
PB PM
Sneaky Punk
 
Join Date: Oct 2005
Location: Vancouver, BC
Send a message via Skype™ to PB PM 
2021-12-16, 12:52

And then more trouble, the patch has issues.
  quote
Ryan
Veteran Member
 
Join Date: May 2004
Location: Promise Land of Trustafarians
 
2021-12-18, 13:13

We're gonna be patching log4j for weeks or months.

I'm on-call for the week of New Years and I fully expect to be doing some emergency deploys.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2021-12-21, 20:54

Now this is an interesting way to check without using third party tools. It is a one-liner you run on your system to check:
Code:
find / 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}".class "{}"
It actually works pretty well! At least the linux version, on a Synology forum there is a post I found this along with a Powershell version.

Code:
grep: /opt/minecraft/jars/minecraft_server.1.11.2.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.11.2.jar matches grep: /opt/minecraft/jars/minecraft_server.1.12.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.12.jar matches grep: /opt/minecraft/jars/minecraft_server.1.12.1.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.12.1.jar matches grep: /opt/minecraft/jars/minecraft_server.1.12.2.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.12.2.jar matches grep: /opt/minecraft/jars/minecraft_server.1.13.2.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.13.2.jar matches grep: /opt/minecraft/jars/minecraft_server.1.17.jar.class: No such file or directory Binary file /opt/minecraft/jars/minecraft_server.1.17.jar matches grep: /opt/minecraft/jars/minecraft_server.1.18.1.jar.class: No such file or directory grep: /opt/minecraft/versions/1.18.1/server-1.18.1.jar.class: No such file or directory ... grep: /opt/minecraft/libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar.class: No such file or directory Binary file /opt/minecraft/libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar matches
So the previous versions of Minecraft can be compromised as indicated by the "matches" where 1.18.1 doesn't match. Given there is still log4j core being used, it must just mitigate it via the MC jar.

Louis L'Amour, “To make democracy work, we must be a notion of participants, not simply observers. One who does not vote has no right to complain.”
MineCraft? mc.applenova.com | Visit us! | Maybe someday I'll proof read, until then deal with it.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Try this in Safari.... (new security vulnerability) scratt Apple Products 55 2006-02-23 18:29
windows worm rocks major news companys windowsblowsass General Discussion 22 2005-08-17 23:27
BREAKING NEWS: plane skids off runway in Toronto, major fire psmith2.0 AppleOutsider 13 2005-08-03 16:25
Is the vulnerability patched? SonOfSylvanus Apple Products 8 2004-05-26 18:06


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 21:12.


Powered by vBulletin®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2022, AppleNova