https://apnews.com/article/technology-b ... 57974c8f01BOSTON (AP) — A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.
“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it.” He said Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning that malefactors have developed and distributed tools to exploit.
Log4Shell - worst computer vulnerability since Heartbleed?
Moderator: Global Moderator
- dualstow
- Executive Member
- Posts: 14309
- Joined: Wed Oct 27, 2010 10:18 am
- Location: synagogue of Satan
- Contact:
Log4Shell - worst computer vulnerability since Heartbleed?
The internet’s on fire’ as techs race to fix software flaw
Re: Log4Shell - worst computer vulnerability since Heartbleed?
I first read your snippet and thought it was a vulnerability in Minecraft, and didn't particularly care. More careful reading indicates that a LOT of online services are trivially taken over by this attack. Yikes. Fortunately none of the services I run use Log4j, the vulnerable product.
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Had a quick look through, there is a POC already on github CVE-2021-44228(Apache Log4j Remote Code Execution). Makes sense indeed, and already can imagine some guys spending this weekend downloading and deploying the log4j 2.15 version
And normally its about the time for renewing anti virus licenses, so why not rip off some more money from the users ...
[EDIT]: That's a good human explanation. Especially the paragraph for remediation, as the trustURLCodebase prop set to true is indeed one can see in the above mentioned github POC.
And normally its about the time for renewing anti virus licenses, so why not rip off some more money from the users ...
[EDIT]: That's a good human explanation. Especially the paragraph for remediation, as the trustURLCodebase prop set to true is indeed one can see in the above mentioned github POC.
Code: Select all
This vulnerability can also be mitigated in previous releases (>=2.10):
By setting the system property "log4j2.formatMsgNoLookups" to "true" or
by removing the JndiLookup class from the classpath
(example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Java 8u121 protects against RCE by setting the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false.".
- dualstow
- Executive Member
- Posts: 14309
- Joined: Wed Oct 27, 2010 10:18 am
- Location: synagogue of Satan
- Contact:
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Yeah, I put Heartbleed in the subject title because this affects/can affect quite a lot of computers.
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Well it depends, not sure one can really explain simply. To check whether you may be affected you should verify:
JVM version - might be affected if your versions are lower than:
Java 6 – 6u212
Java 7 – 7u202
Java 8 – 8u192
Java 11 - 11.0.2
Log4j version – all 2.x versions before 2.15.0 (released very very recently) are affected
Just being curious and checked Interactive Brokers desktop client (a.k.a TWS) that I had upgraded just a week ago (to build 981.3e) and it's using older version of log4j (2.12 if I recall). But if your versions of Java are newer than the above mentioned most likely nothing to worry about (as its hard to imagine that substantial amount of software already adopted log4j version 2.15 ...)
JVM version - might be affected if your versions are lower than:
Java 6 – 6u212
Java 7 – 7u202
Java 8 – 8u192
Java 11 - 11.0.2
Log4j version – all 2.x versions before 2.15.0 (released very very recently) are affected
Just being curious and checked Interactive Brokers desktop client (a.k.a TWS) that I had upgraded just a week ago (to build 981.3e) and it's using older version of log4j (2.12 if I recall). But if your versions of Java are newer than the above mentioned most likely nothing to worry about (as its hard to imagine that substantial amount of software already adopted log4j version 2.15 ...)
- Mountaineer
- Executive Member
- Posts: 4965
- Joined: Tue Feb 07, 2012 10:54 am
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
- vnatale
- Executive Member
- Posts: 9490
- Joined: Fri Apr 12, 2019 8:56 pm
- Location: Massachusetts
- Contact:
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Mountaineer wrote: ↑Sat Dec 11, 2021 9:14 am
Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?
I was shocked to read that! After almost three years of reading all you have written .... if asked ... I would have put you in that camp!
Above provided by: Vinny, who always says: "I only regret that I have but one lap to give to my cats." AND "I'm a more-is-more person."
- dualstow
- Executive Member
- Posts: 14309
- Joined: Wed Oct 27, 2010 10:18 am
- Location: synagogue of Satan
- Contact:
Re: Log4Shell - worst computer vulnerability since Heartbleed?
- Mountaineer
- Executive Member
- Posts: 4965
- Joined: Tue Feb 07, 2012 10:54 am
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Oh my, you found me out. I was just trying to be humble and acknowledge my level of geekness pales in comparison to others on this forum ....... but it's hard to be humble when you are perfect in everyway (Mac Davis).vnatale wrote: ↑Sat Dec 11, 2021 10:50 amI was shocked to read that! After almost three years of reading all you have written .... if asked ... I would have put you in that camp!Mountaineer wrote: ↑Sat Dec 11, 2021 9:14 am Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
- Kriegsspiel
- Executive Member
- Posts: 4052
- Joined: Sun Sep 16, 2012 5:28 pm
Re: Log4Shell - worst computer vulnerability since Heartbleed?
I think it's hilarious that this massive exploit was used by children playing Minecraft. Isn't that just so Snow Crash?
Anyways.
Anyways.
A shit load of companies use Kronos.As Log4Shell wreaks havoc, payroll service reports ransomware attack
As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest human resources solutions providers is reporting a ransomware attack that has taken its systems offline, possibly for the next several weeks. So far, the company isn't saying if that critical vulnerability was the means hackers used to breach the systems.
“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”
link
You there, Ephialtes. May you live forever.
- dualstow
- Executive Member
- Posts: 14309
- Joined: Wed Oct 27, 2010 10:18 am
- Location: synagogue of Satan
- Contact:
Re: Log4Shell - worst computer vulnerability since Heartbleed?
I’ve had that book forever and I’m finally reading it now. The book that coined ‘Metaverse’!Kriegsspiel wrote: ↑Tue Dec 14, 2021 2:28 pm I think it's hilarious that this massive exploit was used by children playing Minecraft. Isn't that just so Snow Crash?
…
Re: Log4Shell - worst computer vulnerability since Heartbleed?
Update on the TWS vulnerability - on 16th December an auto-update kicked in, and TWS got self upgraded to 981.3g (in my case from 981.3e). Build date of the new release is 16th December (obviously the guys in there worked round the clock). The files that were updated quickly appeared on the screen, but I am pretty confident that I saw log4j jar in the list.