Here we go again... (Internet Vulnerability Apache Log4j)

[eytonxav]

Yet another major WW internet vulnerability that is already being exploited. It's pervasive in many servers, so hope it gets patched fast before too much damage is done:
https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

 

[RunningBum]

Could the title please be changed to something meaningful? The current one ("Here we go again....") gives no clue.

 

[Aerides]

Could the title please be changed to something meaningful? The current one ("Here we go again....") gives no clue.

done

 

[MRG]

Who could have ever thought?

 

[MichaelB]

done

Thank you

 

[ExFlyBoy5]

Seems like a bad deal, but I will be honest...most of that article made no sense to me. Am I getting to the age that I may not be able to program a VCR anymore?

 

[GrayHare]

Those articles are purposely made tougher to read so as to not give birth to more hackers. It reminds me that every new version that fixes some exploit or bug probably adds new ones.

 

[OldShooter]

I don't worry about this stuff much. First, the information is not actionable because I am not running Apache servers. More importantly, the information comes from someone with a financial interest in people being alarmed. Norton is another frequent alarmist.

 

[Sunset]

Most of us cannot do anything about this as said by OldShooter .

Still, I does alarm me as log4j is a widely used error logging part of a server/application. It was widely used as it was really easy and great to add. Logging errors is a good way to have a history of what happened when the user complained about some issue.

<edit> from the article, it appears it would be trivial to create the exploit situation, I already have a good idea how to do it (and won't post). Fortunately the temp fix is quick and easy as well, although it may cripple some odd applications causing a rework.

Hopefully, the IT depts have been working all weekend to fix the issue, especially at banks, etc.

 

[eytonxav]

Yes, the troubling part is how widespread this software is used. I am not sure if any updates might be coming to end users or if this can be simply addressed on the server end, but I will certainly be on the lookout for any patches issued from Apple since I am on an iMac.

 

[target2019]

Log4j has landed. The article describes that the library has been weaponized and payload delivered.
https://thehackernews.com/2021/12/hackers-exploit-log4j-vulnerability-to.html

From a ZDNET article today:

Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. The list is even longer when adding products where a patch has been released.

https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/

I'm sure those companies are working dilligently to avoid mayhem.

 

[GTFan]

I worked in a company where lots of programs (including some I maintained) used log4j. The problem is that it's embedded in a TON of legacy stuff and it's very hard to quickly update everything.

Lots of extra time will be spent on this problem, rest assured.

 

[MRG]

I worked in a company where lots of programs (including some I maintained) used log4j. The problem is that it's embedded in a TON of legacy stuff and it's very hard to quickly update everything.

Lots of extra time will be spent on this problem, rest assured.

Or not.

 

[eytonxav]

Received security update from Apple this morning for my iMac.

 

[target2019]

A small startup I follow on Linkedin had a notice that they've secured their systems against this.

Cloudflare has the most detail I've seen so far:
https://blog.cloudflare.com/log4j-cloudflare-logs-mitigation/

 

[Yipper]

Seems like a bad deal, but I will be honest...most of that article made no sense to me. Am I getting to the age that I may not be able to program a VCR anymore?

what's a "VCR"?

 

[REWahoo]

what's a "VCR"?

Variable Cryptocurrency Reserve

 

[GTFan]

Or not.

Heh, did you work in MegaCorp IT as a software dev/sysadmin?

Cuz I did, and I know how they go apeshit over this stuff.

 

[MRG]

Heh, did you work in MegaCorp IT as a software dev/sysadmin?



Cuz I did, and I know how they go apeshit over this stuff.

+1
Yes. My concern is the seldom used administrative function that someone didn't think is used so no need to update. Folks are good at the core systems but those oddball seldom used legacy apps don't get much love.

 

[joesxm3]

What is not being mentioned is stuff like internet connected security cameras with embedded web servers and virtually no company support. What worries me is if they get the DVR then maybe they are inside your local network and can attack the pcs with other mechanisms.

 

[BigMoneyJim]

Interesting. I saw the headline elsewhere but didn't feel the need to immediately panic. This *is* a big deal for people running servers and other network-enabled Java apps, but most individuals won't need to do anything aside from be sure they don't play online with untrusted people on an older version of Minecraft Java Edition.

At first I was having trouble imagining how this could be so scary, but then I thought of lots of situations where I've seen user-submitted content go straight into log4j logs, and from there I see how an attacker could accomplish something remotely.

 

[GTFan]

Yeah the good thing for consumers is that it's a Java app issue, which has little effect there.

 

[RunningBum]

I read something a few days ago about what consumers should do about this. I didn't have time to post the link here and I think it was behind a paywall anyway, so I'm going off memory here.

The explanation is that the vulnerability allows for a piece of executable code to be triggered by a log. Code like malware. But that malware has to exist on the machine itself. The log vulnerability wouldn't put it there. So they said to take extra care not to click on any suspicious links or download attachments that don't look right or are from untrusted sources. The usual common sense stuff, but more urgent now, perhaps.

That would also seem to not make things like your internet connected security camera at risk because you wouldn't be doing something that would put malware on the device. If I understood the article correctly, it would only be laptops, desktops, phones and tablets.

It's also possible I didn't fully understand the article, especially how the malware can spread.

 

[eytonxav]

Apparently DHS is very concerned about this. I am not an IT guru, but when I see all these articles that raise concern over this pervasive piece of software, it queues me to be on the lookout and to not delay any updates. https://appleinsider.com/articles/2...lity-yet-says-department-of-homeland-security

 

[target2019]

The general pattern that has occured many times is:
- flaw is detected
- patch is tested
- patch update forced, or made optional
- human neglect or passage of time occurs
- hackers devise new attack vestors to utilize the flaw

I think you can imagine the rest. It's not just a server problem IMO. It's a security problem. If one part of a system is vulnerable, it creates additional opportunity throughout a network.