Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (Log4Shell)

Discussion in 'System Administration' started by Revenge, Dec 11, 2021.

  1. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    3:27 PM
    1.9.x
    10.1.x
    Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit

    https://www.zdnet.com/article/secur...og4j-java-library-is-already-being-exploited/


     
  2. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    10:27 AM
    Full Control.

    "Houston we have a problem."
     
  3. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    10:27 AM
    default
    default
    This is a serious issue, I just came here to post this.

    Xenforo Enhanced Search (the paid official addon) uses Elastic Search, which uses Log4j so it's possible that it's vulnerable.

    I already had someone try to exploit it on my site by putting the exploit into the search box

    But I don't used Enhanced Search so I'm not worried about it
     
  4. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:27 PM
    1.5.15
    MariaDB 10.2
  5. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    edit: Looks like log4j 2.16 is out now as 2.15 didn't fully fix the vulnerability https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
    • Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. Fixes LOG4J2-3208
    • Completely remove support for Message Lookups. Fixes LOG4J2-3211

    Interesting indeed https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-v

    Cloudflare paid plan users with CF WAF enabled would automatically be protected too
     
    Last edited: Dec 14, 2021
  6. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Some folks are reporting that isn't working whether it's because they implemented it incorrectly or not, not sure. Probably best to just switch to native XF search temporarily until more about the security issue is known.
     
  7. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:27 PM
    1.5.15
    MariaDB 10.2
  8. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup following along with that thread :)

    Looks like cPanel and Plesk also use log4j

    cpanel server

    Code (Text):
    locate log4j-core
    /home/cpanelsolr/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar
    /home/cpanelsolr/licenses/log4j-core-2.13.2.jar.sha1
    /home/cpanelsolr/licenses/log4j-core-LICENSE-ASL.txt
    /home/cpanelsolr/licenses/log4j-core-NOTICE.txt
    /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
    /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar


    plesk ubuntu

    Code (Text):
    locate log4j-core
    /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar


    edit: my mistake Plesk doesn't use elasticsearch search, I had installed elasticsearch on this Plesk Ubuntu server as I was developing a Plesk server info diagnostic script which scans and collects all Plesk server/environment info for quick overview of a Plesk system resource usage/configurations :)
     
    Last edited: Dec 12, 2021
  9. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:27 PM
    1.5.15
    MariaDB 10.2
    Yeah, none of the servers I set up have the solar search installed.
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:27 PM
    1.5.15
    MariaDB 10.2
    Yeah, but it’s not installed by default, and I never install it.
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed. This was on a very long time client's cPanel server. Going to switch it off :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Cloudflare WAF rules for protections against log4j exploits. Only triggering one of the CF WAF rules for me right now for past 72hrs

    cf-waf-log4j-rules-01.png

    cf-waf-log4j-firewall-events-02.png
     
  14. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    4:27 PM
    What I have not yet read in this topic but is of interest. The severity is critical.
    Seems Apache Log4j is used alot as a dependency for example for Red Hat Openshift.

    And that often underestimates an impact like this.
    At first glance, you may think, oh, I or We won't use it.
    But therein lies the danger. Log4j is often used as part of.
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah Log4j is used in dependencies to other packages which folks might not be aware of i.e. cPanel's optional cpanelsolr and even Plesk control panel. Then there's Xenforo Enhanced search addon's Elasticsearch usage

    That includes Minecraft servers too ‘The Internet Is on Fire’
    and
    and Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

     
    Last edited: Dec 11, 2021
  16. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    4:27 PM
    Pfffff ‘The Internet Is on Fire’, “It's a design failure of catastrophic proportions.”.
    Was that article written by a snowflake who is afraid?

    Come on. Of course you shouldn't do that.
    Stay calm and keep an eye on your infra.
    Once in a while you have a critical CVE. So what.

    You don't have to insult the programmers involved to Apache with cries like
    'design failure of catastrophic proportions'.
    This writer knows it all better. Well, let's see then!
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    :LOL: with this day and age of security alerts everyday, sometimes an extra bit of fear is needed to push folks to act maybe? :)

    Looks like even some of my custom Cloudflare Firewall rules caught the log4j attacker's IP address doing other things too :)

    cf-waf-log4j-firewall-events-ip-01.png cf-waf-log4j-firewall-events-ip-02.png
     
  18. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:27 PM
    1.5.15
    MariaDB 10.2