Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Ars writeup about it: Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet
Quote:
I'm looking through the details to see if there is something I need to patch on the ANMC server for it, but want to be sure many saw this since it will certainly effect more than our ANMC server. Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
|
quote |
‽
|
Somewhat confused by the explanations. My understanding is: Java provides JNDI for lookup purposes, and this also used to support LDAP. log4j, in turn, supports loading code at runtime (for plug-in purposes, I presume). Someone figured out that if they trick your log4j code to log an LDAP URL, that in turn coerces (old unpatched versions of) the Java runtime into trying to load that code?
Something in there isn't quite right, is it? |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Log4Shell is the new name for the exploit.
Now I'm still trying to figure out how I can secure the ANMC server... |
quote |
‽
|
https://tfun.org/2021/12/10/urgent-a...vulnerability/ has a few details on mitigation.
|
quote |
‽
|
Also, if you rename an iPhone, you can (could?) exploit Apple's servers. Which, come on, that's funny.
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Thanks, I'll look through those. I think our server version is in the clear but will have to dig to verify it.
Actually, I just checked and we don't have log4j installed on our MC server. It must only be the non-vanilla servers that are impacted. Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
I'm actually impressed that MS put out a specific guide for mitigating this with Minecraft.
The relevant part for us is that I updated our server to 1.18.1 earlier today so we are golden, server side that is. Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Veteran Member
Join Date: May 2004
Location: Promise Land of Trustafarians
|
Yeah this ruined my Friday night.
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Yeah, I messaged some people at work and the COO. I also got to walk away. Professionally it is out of my realm! |
quote |
Sneaky Punk
|
Sounds like this really is a big deal, Revenue Canada (our IRS), took its online service down as of Friday due to “a global security threat”, I can only guess based on the the timing that this vulnerability has something to do with it. I can imagine their IT guys haven’t slept all weekend.
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Oh yeah, it is huge actually. Some of my coworkers are scrambling right now due to this actually. Thankfully we are a small fish in the pond of the internet relatively speaking. Not that we are immune to a probing bot, but still.
Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
‽
|
Possibly. I believe they haven't disclosed the reason for the us-east-1 outage yet.
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
This looks like a cool way to track/block it if you use nginx.. You also have to install LUA for nginx but they seem to provide all the documents for the install. I haven't tried it but it looks like it is exactly what is needed.
Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Sneaky Punk
|
Wouldn't it be faster just to install the patched version of Logi4 than add other things?
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Basically it would be for those situations where log4j is nested deep and you can't directly update it due to dependency hell. Minecraft is running it though you can't touch it. Now in the case of Minecraft it uses custom ports but yet was still vulnerable. IF it were an app that have Nginx running in front of it then you wouldn't have to fight the dependencies or wait for the developer to release a new version of the app with the fix. Instead you block it at the nginx reverse proxy.
Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
This is really cool. Huntress put out a means to test your system if it is vulnerable.
Basically it gives you a UUID and a string to put into the various fields and see if it actually gets to the Huntress servers. Nice way to verify that your server is or isn't safe. Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
‽
|
Quote:
|
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
I know, I know... but they did post it to GitHub.... assuming that is what is actually running on the hosted site.
In my case I played with it after snapshotting my VM. I'm good with it. Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Sneaky Punk
|
And then more trouble, the patch has issues.
|
quote |
Veteran Member
Join Date: May 2004
Location: Promise Land of Trustafarians
|
We're gonna be patching log4j for weeks or months.
I'm on-call for the week of New Years and I fully expect to be doing some emergency deploys. |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Now this is an interesting way to check without using third party tools. It is a one-liner you run on your system to check:
Code:
find / 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}".class "{}" It actually works pretty well! At least the linux version, on a Synology forum there is a post I found this along with a Powershell version. Code:
grep: /opt/minecraft/jars/minecraft_server.1.11.2.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.11.2.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.12.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.12.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.12.1.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.12.1.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.12.2.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.12.2.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.13.2.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.13.2.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.17.jar.class: No such file or directory
Binary file /opt/minecraft/jars/minecraft_server.1.17.jar matches
grep: /opt/minecraft/jars/minecraft_server.1.18.1.jar.class: No such file or directory
grep: /opt/minecraft/versions/1.18.1/server-1.18.1.jar.class: No such file or directory
...
grep: /opt/minecraft/libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar.class: No such file or directory
Binary file /opt/minecraft/libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar matches So the previous versions of Minecraft can be compromised as indicated by the "matches" where 1.18.1 doesn't match. Given there is still log4j core being used, it must just mitigate it via the MC jar.Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Try this in Safari.... (new security vulnerability) | scratt | Apple Products | 55 | 2006-02-23 18:29 |
windows worm rocks major news companys | windowsblowsass | General Discussion | 22 | 2005-08-17 23:27 |
BREAKING NEWS: plane skids off runway in Toronto, major fire | psmith2.0 | AppleOutsider | 13 | 2005-08-03 16:25 |
Is the vulnerability patched? | SonOfSylvanus | Apple Products | 8 | 2004-05-26 18:06 |