Join the community today
Become a Member

Security Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (Log4Shell)

Discussion in 'System Administration' started by Revenge, Dec 11, 2021.

  1. buik

    buik “The best traveler is one without a camera.”

    1,764
    480
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,511
    Local Time:
    3:24 AM
    Sure senior snowflake security writer Lily Hay Newman from Wired.
    You have backported patches for legacy software.


    Develop your own patches?
    The patch code is already available and only takes a few lines.
    No need to develop your own code as Apache is open source.
    But perhaps she does not know what open source is?

    Immediate patching of legacy software is not a problem at all for Minecraft-Microsoft. As if there were no one among the 180,000+ employees who had a solution?

    Besides, as a company with critical systems, you simply have a service contract with critical fixes within a number of hours. From organisations like Red Hat, you just get an update RPM before it is officially released. Just contact your account manager. But what do you get with a dishcloth without practical experience?
    Well, this nonsense. In short a tip dear Lily: Go knitting!
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    For cPanel solr New Thread - log4j CVE-2021-44228, does it affect Cpanel?

    Code (Text):
    yum update cpanel-dovecot-solr


     
  3. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
  4. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
  5. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
  6. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Log4j RCE Found | Hacker News

    Ouch Minecraft chat
     
  7. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Other workarounds Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2 with patched log4j2-core files at GitHub - zhangyoufu/log4j2-without-jndi: log4j2-core JAR w/o JndiLookup.class

    Comparing Plesk log4j-core-2.11.1.jar with the patched version
    Code (Text):
    ls -lAhR
    .:
    total 8.0K
    drwxr-xr-x 2 root root 4.0K Dec 11 11:57 patched
    drwxr-xr-x 2 root root 4.0K Dec 11 11:57 plesk
    
    ./patched:
    total 1.6M
    -rw-r--r-- 1 root root 1.6M Dec 11 11:56 log4j-core-2.11.1.jar
    
    ./plesk:
    total 1.6M
    -rw-r--r-- 1 root root 1.6M Dec  2 15:52 log4j-core-2.11.1.jar
    

    Code (Text):
    diff -qr plesk/ patched/
    Files plesk/log4j-core-2.11.1.jar and patched/log4j-core-2.11.1.jar differ
    Only in plesk/org/apache/logging/log4j/core/lookup: JndiLookup.class
    
     
    Last edited: Dec 11, 2021
  8. duderuud

    duderuud Premium Member Premium Member

    123
    42
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +93
    Local Time:
    3:24 AM
    1.21.x
    10.4
    My website was also attacked 5 times, blocked by Cloudflare WAF.
     
  9. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah Cloudflare WAF helps but won't be able to protect from all attack vectors, so best is to update when available.

    log4j maintainers are unpaid unfortunately https://twitter.com/yazicivo/status/1469349956880408583 :(

     
  10. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Ok https://twitter.com/WeldPond/status/1469313738029289476

     
  11. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
  12. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
  13. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Redhat impact RHSB-2021-009 Log4Shell - Remote Code Execution - log4j - Red Hat Customer Portal

     
  14. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Creating new Cloudflare Firewall rules on Enterprise plan you can test the rules to see if there's matches. Testing user agent field for jndi or ldap has a few hits - guess there's other fields to check too.

    cf-waf-log4j-rules-useragent-01.png

    cf-waf-log4j-rules-useragent-02.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Backblaze users and log4j System Maintenance Update: Log4j Vulnerability

     
  16. Matt

    Matt Well-Known Member

    895
    408
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +651
    Local Time:
    2:24 AM
    1.5.15
    MariaDB 10.2
    Let's hope Amazon don't take S3 offline otherwise that's half the internet down!
     
  17. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    Woah so true, but the alternative of letting a vulnerable system to continue to run?? I only use S3 for backups or log archiving myself. But I can imagine Xenforo users offloading to S3!
     
  18. Matt

    Matt Well-Known Member

    895
    408
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +651
    Local Time:
    2:24 AM
    1.5.15
    MariaDB 10.2
    I know, unless they can rolling update without needing to take everything offline.
     
  19. eva2000

    eva2000 Administrator Staff Member

    49,741
    11,437
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,772
    Local Time:
    12:24 PM
    Nginx 1.21.x
    MariaDB 10.x
    If removing log4j-core class is enough could possible be patched, from previous github link I posted, they included a patch.sh script so something similar that can be run across clusters of servers log4j2-without-jndi/patch.sh at master · zhangyoufu/log4j2-without-jndi

    Code:
    #!/bin/bash
    set -eu
    for JAR_PATH in "$@"; do
        if [[ $JAR_PATH != *log4j-core*.jar ]] || [ -e "$JAR_PATH.bak" ] || ! [ -f "$JAR_PATH" ]; then
            echo "Skipped $JAR_PATH"
            continue
        fi
        echo "Processing $JAR_PATH"
        cp -p "$JAR_PATH" "$JAR_PATH.bak"
        zip -q -d "$JAR_PATH" org/apache/logging/log4j/core/lookup/JndiLookup.class
    done
    That assumes providers don't actually need/use jndi class, which would make things more complicated if they do use jndi class!
     
    Last edited: Dec 12, 2021
  20. Jimmy

    Jimmy Well-Known Member

    1,761
    381
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +967
    Local Time:
    9:24 PM
    1.17.x
    MariaDB 10.3.x
     
    Last edited: Dec 12, 2021