Software Flaw Sparks Global Race To Patch Bug (wsj.com) 60
Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks. From a report: Cybersecurity researchers said the bug, hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector." Germany's cybersecurity organization over the weekend issued a "red alert" about the bug. Australia called the issue "critical."
Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched. "It is one of the most significant vulnerabilities that I've seen in a long time," said Aaron Portnoy, principal scientist with the security firm Randori. Security experts noted that many companies have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the fallout from the bug. Microsoft, in an alert to customers, said "attackers are probing all endpoints for vulnerability." Amazon.com, Twitter and Cisco were among the companies that have said they were carrying out investigations into the depth of the problem. Amazon, the world's biggest cloud computing company, said in a security alert, "We are actively monitoring this issue, and are working on addressing it."
Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched. "It is one of the most significant vulnerabilities that I've seen in a long time," said Aaron Portnoy, principal scientist with the security firm Randori. Security experts noted that many companies have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the fallout from the bug. Microsoft, in an alert to customers, said "attackers are probing all endpoints for vulnerability." Amazon.com, Twitter and Cisco were among the companies that have said they were carrying out investigations into the depth of the problem. Amazon, the world's biggest cloud computing company, said in a security alert, "We are actively monitoring this issue, and are working on addressing it."
Problem solved ... (Score:5, Funny)
Just upgrade from Log4j to Log4k -- the version number is base 36, right?
Re: Problem solved ... (Score:5, Funny)
For a complex input z, Log4j(z) returns the complex number w such that (4j)^w = z.
It is a rare but important function alongside the more common ones: Log2(), LogE() and Log10().
Re: (Score:3, Informative)
Or Log4j++ blockchain microservice edge cloud web-assembly. If you are going to be hacked, get hacked by the "in" crowd to be cool.
Re: (Score:2)
Or Log4j++ blockchain microservice edge cloud web-assembly. If you are going to be hacked, get hacked by the "in" crowd to be cool.
I'll be even cooler once I buy the NFT of the buggy library.
Love the title (Score:5, Insightful)
Re: (Score:3)
hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks.
Sounds a little rushed to press -- "obscure" and "widely used" doesn't really jibe [merriam-webster.com].
Re: Love the title (Score:5, Insightful)
Re:Love the title (Score:4, Insightful)
"obscure" and "widely used" doesn't really jibe
Most know about "TCP ports", despite that there are TWO ports in a TCP header, the "destination port" being the one most know about.
The "source port" is practically unknown of by anyone with extensive networking experience/knowledge, making it "obscure"
Yet it is used within every TCP packet ever generated, making it also "widely used"
On topic, until last Friday, I had no idea Java didn't include a logging function of its own and to get even the most basic text file debugging requires an external library to do it.
I'd dare say nearly all non-java programmers were likely just as unaware.
Even having installed a couple java based programs in my time, the realization that not just the program, but its dependencies, those dependencies dependencies, and so on, have independently opted to use the same non-1st-party logging library, is mind boggling.
It's very fair to say this library is obscure.
That it keeps popping up in so many different programs also makes it widely used, even if entirely unbeknownst to those using the program.
Re: Love the title (Score:3)
The "source port" is practically unknown of by anyone with extensive networking experience/knowledge, making it "obscure"
I think anybody with even average knowledge of networking has used Wireshark at least once, and if you have, it's just as prominent as the destination port.
Re: (Score:3)
Average Familiarity:
https://xkcd.com/2501/ [xkcd.com]
Re:Love the title (Score:4, Insightful)
"obscure" and "widely used" doesn't really jibe
Not may people can tell you what palladium is, but anyone that has driven a car has used it. Obscure: not discovered or known about; uncertain. That could apply to thousands of thigs that are used every day that contain things most people don't know about.
Re: (Score:2)
Re:Love the title (Score:4, Insightful)
hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks.
Sounds a little rushed to press -- "obscure" and "widely used" doesn't really jibe [merriam-webster.com].
This is the curse of giant dependency trees - things can be used for years without most people knowing they're there. Then one day the boat sinks because there's a hole in it.
Here (Score:4, Informative)
These are the people that discovered it. [lunasec.io]
I found out about it from a YTer with a funny video showing it in Minecraft and a decent break down. [youtube.com]
Re:Love the title (Score:5, Informative)
Affected versions 2.14.1 and below.
Re: Love the title (Score:3)
Re: (Score:3)
Supposedly it was introduced in one of the 2.0. betas.
It's a bit deeper than that (since the exploit depends on JNDI lookups being turned on in Log4J).
There's no known exploit risks with versions 1.x, but the possibility remains. SLF4J suggests a physical remediation (by removing the JMSAppender class from the log4j jar artifacts.) See link below for details:
http://slf4j.org/log4shell.html [slf4j.org]
If it were up to me and happened to control a system depending on Log4J 1.x, I would do that remediation rather than run the risk.
Re: Love the title (Score:2)
The wording alone ... (Score:2)
So when they say the cloud is secure (Score:5, Funny)
Re: (Score:2, Interesting)
Re: (Score:2)
This is a vulnerability in a logging library. Any service you built yourself that used this library would be vulnerable, cloud or no.
How do you make a log server execute code? (Score:2)
You ask the log server to execute the code.
Re: (Score:1)
Obscure ? (Score:2)
Re: (Score:2)
Well, it's obscure to a tech blogger anyway - it's not "Facebook / Meta" or "Google" or "Twitter" or "WhatsApp".
Re: (Score:2)
Funny how some tech bloggers seem to know so little about... you know... tech.
Re: (Score:2)
Should win 'most enterprisey' vulnerability award (Score:5, Insightful)
The vulnerability was in the ability to load Java class file over LDAP. As well as being a horrible vulnerability, the whole capability sounds like the fever dream of an 'enterprise' software architect.
Re: (Score:3)
Another idiot with vision.
Re: (Score:2)
At this point, I would recommend everyone moving away from log4j. Now that one vuln was found, over the next few months a lot of attention will be focused on it, with likely more found.
All you need for logging is the ability to redirect stdout/stderr to wherever you want it. There's no need for a massive library, and Java has an adequate native logging solution now.
Re: (Score:2)
"adequate" is in the eye of the beholder. When java.util.logging came out in 2002, even the log4j version then in existence was considered superior. It still is, even though wrappers like slf4j are now in common use to handle the variety of logging mechanisms.
Re: (Score:2)
"Comes with remote vulnerabilities" is not superior.
The Gift that keeps on Giving (Score:5, Informative)
One aspect of this vulnerability is that the attacker does not need to have opened or connected directly to the vulnerable Java program. The Java program just has to be exposed to an exploit string from *some* source such that the program logs it with a vulnerable version of log4j. At which point the program opens its own outbound connection to the exploit server. (The port number can be specified to 80 or 443 so it looks like outbound HTTP or HTTPS traffic, so just blocking outbound connections to LDAP default ports won't save you.)
So I have moderate expectations that there will be a burst of systems exploited at the end of the month when automated billing/accounting/auditing/etc. systems start processing this month's data for the end of month or end of year reporting. It will be something like the software which drives the business bulk mailing label printer or something -- some minor Java utility that has nothing at all to do with the network -- somewhere in the processing chain which will dutifully try to execute the exploit.
Re: (Score:3)
Re: (Score:2)
You should not let traffic leave your intranet except to known hosts (personal computers of course are different). The firewall to do this is easy to set up, but for some reason a lot of people don't do it.
Re: (Score:2)
Put it through a proxy and only allow it to connect to domain/port that it needs to for functionality.
So does that proxy server keep logs? If so, what component does it use for those logs? Could it be using Log4j? Woops!
And it doesn't even need to be internet connected at all. There are already examples of people triggering the bug in network systems by changing the name of their phones. Many enterprise wifi systems will log connection attempts, even unsuccessful ones. Someone could walk into a lobby and execute arbitrary code on a network by just having their phone try to connect to the company wifi. T
Re: (Score:2)
Re: (Score:2)
The kind of exploit you describe is often called a "reverse shell," in case you want to look up more about it.
All you need, really! (Score:2)
WSJ, really?! (Score:5, Informative)
Here are a few githubs tracking affected products:
https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_apps.md
https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_components.md
https://gist.github.com/SwitHa... [github.com]
And some news articles
https://nakedsecurity.sophos.c... [sophos.com]
https://www.engadget.com/log4s... [engadget.com]
https://www.infoworld.com/arti... [infoworld.com]
And some shell scripts (Score:2)
https://gist.github.com/Neo23x... [github.com]
Re:WSJ, really?! (Score:4, Insightful)
I have said this before:
There has to be such a deal ... /. editors keep posting articles with links to them ...
Not only with WSJ, but also Bloomberg and the NY Times.
All are behind a paywall, or require a subscription, yet,
Newsflash: Slashdotters will not subscribe to WSJ nor Bloomberg just because . / keeps posting links to them ...
I understand they need to make money, but not at the expense of pissing off their audience.
Re:WSJ, really?! (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Even simpler: the submitter has access either through work or personally, and doesn't realize their link is paywalled.
Fixed in twelve days .. (Score:2)
Re: (Score:2)
That's quite fast, compared to some...
My boss forwarded an e-mail from the supplier of some middleware we use. In essence, they say "We're not vulnerable to this because the bug was introduced in version 2.0-beta9 and we use an earlier version". 2.0-beta9 came out more than 8 years ago [apache.org].
Only minimized via gov't collaboration? (Score:2)
"We will only minimize potential impacts through collaborative efforts between government and the private sector."
Right, because all the companies that have been scrambling and remediating this ASAFP needed the government (pick one, any one) to help out?
Is it a bug? (Score:3)
I thought it works as documented. Now the documented default behaviour may be very risky from a security perspective, so it may be a bad idea, but it is not a bug.