|
Title: Apache log4shell zeroday vulrerability Post by: HI-TEC99 on December 14, 2021, 09:47:47 AM If this forum uses the apache Log4J logging tool it's vulnerable to the new Log4Shell critical zero-day vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Any system using it needs upgrading, or the mitigation applying. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/ Quote All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”. Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. The vulnerability is triggered by a simple string sent to a vulnerable server: [example string blocked by cloudflare] When the vulnerable application logs the string it triggers a lookup to an attacker-controlled remote LDAP server (example.com in our scenario). The response from the malicious server contains a path to a remote Java class file that’s injected into the server process. Attackers can execute commands with the same level of privilege as the application that uses the logging library. Quote Mitigation Mitigations are available for versions of log4j 2.10.0 and up. Version 2.15.0 is not vulnerable by default. Note that there may be other dependencies, such as your Java version, that need to be updated before you can upgrade. Fixing the vulnerability may not be straightforward, but it is urgent. According to the Apache log4j project, if you are unable to upgrade, for whatever reason, you can mitigate this vulnerability in version 2.10.0 or higher by switching log4j2.formatMsgNoLookups to true. This can be done by adding ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application. Title: Re: Apache log4shell zeroday vulrerability Post by: NeuroticFish on December 14, 2021, 09:55:41 AM This was already posted 4 days ago: https://bitcointalk.org/index.php?topic=5376340
And although I can understand that it's not related to bitcoin, the fact mods have buried that thread in Off-Topic looks a bit unfair. Probably that's also why you've missed it. Title: Re: Apache log4shell zeroday vulrerability Post by: HI-TEC99 on December 14, 2021, 09:59:57 AM This was already posted 4 days ago: https://bitcointalk.org/index.php?topic=5376340 And although I can understand that it's not related to bitcoin, the fact mods have buried that thread in Off-Topic looks a bit unfair. Probably that's also why you've missed it. Thanks, did the mods move that thread to Off-Topic from here? Title: Re: Apache log4shell zeroday vulrerability Post by: NeuroticFish on December 14, 2021, 10:05:40 AM Thanks, did the mods move that thread to Off-Topic from here? Somebody did. Yesterday that topic was (still) in Beginners and Help. (Clearly not the best place, I know.) Title: Re: Apache log4shell zeroday vulrerability Post by: HI-TEC99 on December 14, 2021, 10:16:26 AM Thanks, did the mods move that thread to Off-Topic from here? Somebody did. Yesterday that topic was (still) in Beginners and Help. (Clearly not the best place, I know.) I'll leave this here, and the mods can delete it if they want. Maybe somebody might get alerted to the zero-day if they see it here. Title: Re: Apache log4shell zeroday vulrerability Post by: theymos on December 14, 2021, 03:42:40 PM I heard about this when it happened and at that time thought about the impact on bitcointalk.org, but AFAICT we were never affected, since we don't use any Java software (neither software we've written nor off-the-shelf software). Since the issue is so pervasive, it is conceivable that we could've been affected via a service provider or through some method that I haven't thought of, but I don't think so.
Title: Re: Apache log4shell zeroday vulrerability Post by: TheBeardedBaby on December 17, 2021, 12:11:32 PM I heard about this when it happened and at that time thought about the impact on bitcointalk.org, but AFAICT we were never affected, since we don't use any Java software (neither software we've written nor off-the-shelf software). Since the issue is so pervasive, it is conceivable that we could've been affected via a service provider or through some method that I haven't thought of, but I don't think so. Clouldflare was the only service I could think of, but have fixed it (https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/). @theymos, Please let me know where shall I share such breach/hack/bug info which can affect crypto users in a way? Which one is the most appropriate section. Until now I've mostly used the B&H as newbies are the ones that are most likely affected and have least protection (in general). |