Worst vulnerability in the last 10 years!

xircon · December 11, 2021, 12:25pm

This looks nasty! Watch your servers.

Zircon34 · December 11, 2021, 12:34pm

Or don’t connect your server to the outside world…

keybreak · December 11, 2021, 12:43pm

vlkon · December 11, 2021, 12:45pm

I am puzzled. A whole page of words yet there is no information given (journalism at it’s finest).
So far I’ve got “do not have minecraft server on your production server (unles you patch it)”.

xircon · December 11, 2021, 12:57pm

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

If I had to run windows at home, Malwarebytes would be the only program I would run

lunainvictum · December 11, 2021, 2:54pm

lol.

Java on a Server? Serious? Never!

BS86 · December 11, 2021, 2:58pm

every service that uses log4j can be attacked. It does not have to be internet-facing, because the attack can be carried to internal systems via payload.
log4j versions 2.0-beta9 to 2.14.1 are vulnerable, although log4j 2.10 or higher can be “hardened” against the attack with setting log4j2.formatMsgNoLookups to true or by removing the JndiLookup class. Log4j 2.15 is the first fixed version.

Several hosters already said that they see internetwide scans for vulnerable services, most likely by attackers scanning for possible targets.

Here is an attempt by someone to list vulnerable services: https://github.com/YfryTchsGD/Log4jAttackSurface
Basically, everyone seems to be vulnerable.

Edit: Apparently, hackers only need to send a string in the format $JNDI:LDAP://SERVER/EXP to a vulnerable service to launch the attack.

otherbarry · December 11, 2021, 4:41pm

LOL at the global mass scanning this has triggered.

So many l33t hax0rs / bad actors / nation states putting together lists of vulnerable services / organizations for potential future exploitation.

You can bet randsomeware is being tweaked to use this CVE as a delivery mechanism too.

Only specific versions of log4j are vulnerable, small silver lining, but good luck opsec people trying to untangle this mess.

Kresimir · December 11, 2021, 11:56pm

It’s the Guardian, what do you expect? Useful information? Truth? Integrity? Any standards at all?

It’s not even journalism, it’s just tittle-tattle.

xircon · December 15, 2021, 5:27pm

Update on the BBC.

flyingcakes · December 15, 2021, 5:54pm

The “flagship” payment system used by my country’s government offices, to make huge payments daily runs using Java Applets and hence needs Internet Explorer to run. There have been news about high school drop outs hacking the thing, but rewriting the application seems more expensive to the government than spending to catch these kids and dealing with losses there.

Technology is really amazing, isn’t it

Bryanpwo · December 15, 2021, 5:57pm

Well, rest assured, our purple little universe is far, far away from this issue. No Java on our server, only in my coffee mug