Log4Shell - worst computer vulnerability since Heartbleed?

[dualstow]

The internet’s on fire’ as techs race to fix software flaw

BOSTON (AP) — A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.

“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it.” He said Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning that malefactors have developed and distributed tools to exploit.

https://apnews.com/article/technology-b ... 57974c8f01

[Xan]

I first read your snippet and thought it was a vulnerability in Minecraft, and didn't particularly care. More careful reading indicates that a LOT of online services are trivially taken over by this attack. Yikes. Fortunately none of the services I run use Log4j, the vulnerable product.

[Vil]

Had a quick look through, there is a POC already on github CVE-2021-44228(Apache Log4j Remote Code Execution). Makes sense indeed, and already can imagine some guys spending this weekend downloading and deploying the log4j 2.15 version

And normally its about the time for renewing anti virus licenses, so why not rip off some more money from the users ...

[EDIT]: That's a good human explanation. Especially the paragraph for remediation, as the trustURLCodebase prop set to true is indeed one can see in the above mentioned github POC.

Code: Select all

This vulnerability can also be mitigated in previous releases (>=2.10):

By setting the system property "log4j2.formatMsgNoLookups" to "true" or 
by removing the JndiLookup class from the classpath 
(example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). 

Java 8u121 protects against RCE by setting the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false.".

[dualstow]

Yeah, I put Heartbleed in the subject title because this affects/can affect quite a lot of computers.

[Vil]

Well it depends, not sure one can really explain simply. To check whether you may be affected you should verify:
JVM version - might be affected if your versions are lower than:
Java 6 – 6u212
Java 7 – 7u202
Java 8 – 8u192
Java 11 - 11.0.2
Log4j version – all 2.x versions before 2.15.0 (released very very recently) are affected

Just being curious and checked Interactive Brokers desktop client (a.k.a TWS) that I had upgraded just a week ago (to build 981.3e) and it's using older version of log4j (2.12 if I recall). But if your versions of Java are newer than the above mentioned most likely nothing to worry about (as its hard to imagine that substantial amount of software already adopted log4j version 2.15 ...)

[Xan]

So what's the tl;dr version of laypeople action? Are there certain sites to avoid until it is fixed? Certain threads on here to avoid?

Really not much you can do, other than hope that server operators where your data lives are on the ball.

[Mountaineer]

Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?

[vnatale]

Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?

I was shocked to read that! After almost three years of reading all you have written .... if asked ... I would have put you in that camp!

[dualstow]

So what's the tl;dr version of laypeople action? Are there certain sites to avoid until it is fixed? Certain threads on here to avoid?

Really not much you can do, other than hope that server operators where your data lives are on the ball.

Yeah, I think it's like heartbleed - largely out of our hands.
I'm going to follow Vil's advice on Java, though.

[Mountaineer]

Sorry but I’m not an electronics geek. Does it make any difference whether one uses a chromebook. PC, Mac, iOS, Android to access online content or files (assuming all apps and operating systems are latest versions)?

I was shocked to read that! After almost three years of reading all you have written .... if asked ... I would have put you in that camp!

Oh my, you found me out. I was just trying to be humble and acknowledge my level of geekness pales in comparison to others on this forum ....... but it's hard to be humble when you are perfect in everyway (Mac Davis).

[Kriegsspiel]

I think it's hilarious that this massive exploit was used by children playing Minecraft. Isn't that just so Snow Crash?

Anyways.

As Log4Shell wreaks havoc, payroll service reports ransomware attack

As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest human resources solutions providers is reporting a ransomware attack that has taken its systems offline, possibly for the next several weeks. So far, the company isn't saying if that critical vulnerability was the means hackers used to breach the systems.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

link

A shit load of companies use Kronos.

[dualstow]

I think it's hilarious that this massive exploit was used by children playing Minecraft. Isn't that just so Snow Crash?
…

I’ve had that book forever and I’m finally reading it now. The book that coined ‘Metaverse’!

[Vil]

Just being curious and checked Interactive Brokers desktop client (a.k.a TWS) that I had upgraded just a week ago (to build 981.3e) and it's using older version of log4j (2.12 if I recall).

Update on the TWS vulnerability - on 16th December an auto-update kicked in, and TWS got self upgraded to 981.3g (in my case from 981.3e). Build date of the new release is 16th December (obviously the guys in there worked round the clock). The files that were updated quickly appeared on the screen, but I am pretty confident that I saw log4j jar in the list.