Log4J
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
When I heard about it a bit over a week ago, I scanned all my file systems. The only bits that came close were some historical backups of long-dead machines. The first attempted exploit in my server logs was at 2021-12-11 00:28Z. Since then the "villains" are using all sorts of cute encoding tricks to get
jndipast dumb filters that look for it in plain text. They account for currently around 7 or 8% of the noise traffic (i.e. by IP address, not hostname). And yes, I think there is a considerable "beatup" component. Apart from Minecraft, I haven't heard of any significant exploits.Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
Where I work (Windows shop) we only have two candidates, TeamCity and Jira, both were not affected.
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
Well plenty of 1999 stuff is still running in production in plenty of places.. why changes something that is working hey?! AS400 and Cobol is much older and still widely in use! :O
A new .NET Serializer All in one Menu-Ribbon Bar Taking over the world since 1371!
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
I have a Linux Jenkins build server and whilst the Jenkins core doesn't use log4j the groovy scripting language does and possibly some plugins.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
Another reason not to blindly jump on any "new" framework, just because it's "new". BTW, my team is full of programming gods, and we don't do logging. At all.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
I don't understand it... A logging library should simply log messages, right? How can a logging library become vulnerable? I think only if it does taking actions for specific messages. And that is not the job of a logging tool :doh: [Edit] Good explanation I found here: All About Log4j Log4Shell 0-Day Vulnerability - CVE-2021-44228[^]
-
I don't understand it... A logging library should simply log messages, right? How can a logging library become vulnerable? I think only if it does taking actions for specific messages. And that is not the job of a logging tool :doh: [Edit] Good explanation I found here: All About Log4j Log4Shell 0-Day Vulnerability - CVE-2021-44228[^]
Any library can become vulnerable if it doesn't bounds check everything. Back when I was a youth - and I don't recommend this - I rooted a server using their print daemon. It *is* weird that it's happening with the JVM, given java code is managed and thus relatively hardened, but I don't know *anything* about the exploit so I can only speak about exploits in general.
Real programmers use butterflies
-
Any library can become vulnerable if it doesn't bounds check everything. Back when I was a youth - and I don't recommend this - I rooted a server using their print daemon. It *is* weird that it's happening with the JVM, given java code is managed and thus relatively hardened, but I don't know *anything* about the exploit so I can only speak about exploits in general.
Real programmers use butterflies
-
I agree. But a logging tool which becomes vulnerable by the data it should log is something idiotic, at least for me :-D
Well, in their defense, because of the string, date and file manipulation there are plenty of potential opportunities to exploit a library like that.
Real programmers use butterflies
-
When I heard about it a bit over a week ago, I scanned all my file systems. The only bits that came close were some historical backups of long-dead machines. The first attempted exploit in my server logs was at 2021-12-11 00:28Z. Since then the "villains" are using all sorts of cute encoding tricks to get
jndipast dumb filters that look for it in plain text. They account for currently around 7 or 8% of the noise traffic (i.e. by IP address, not hostname). And yes, I think there is a considerable "beatup" component. Apart from Minecraft, I haven't heard of any significant exploits.Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
They are poking and probing: https://lous-stuff.com[^] #4 the other day.:mad:
>64 If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
-
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
Apparently Ab Initio uses it.
-
Another reason not to blindly jump on any "new" framework, just because it's "new". BTW, my team is full of programming gods, and we don't do logging. At all.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
There are tons of legacy systems built on old open source libraries. This is one of them. The problem I see coming is now that two of the major open source libraries have been found to be vulnerable (OpenSSL was the other one) cyber criminals and their government employed counterparts will start scanning older open source code for more vulnerabilities. Far too many entities never update their systems, especially when they're running open source systems that tend to be harder to update.
-
Any library can become vulnerable if it doesn't bounds check everything. Back when I was a youth - and I don't recommend this - I rooted a server using their print daemon. It *is* weird that it's happening with the JVM, given java code is managed and thus relatively hardened, but I don't know *anything* about the exploit so I can only speak about exploits in general.
Real programmers use butterflies
I heard it was an exploit in native code. A perfect example on why you should avoid native libraries.
"God doesn't play dice" - Albert Einstein "God not only plays dice, He sometimes throws the dices where they cannot be seen" - Niels Bohr
-
I heard it was an exploit in native code. A perfect example on why you should avoid native libraries.
"God doesn't play dice" - Albert Einstein "God not only plays dice, He sometimes throws the dices where they cannot be seen" - Niels Bohr
Ah, that makes sense.
Real programmers use butterflies
