Posted on 12/12/2021 9:08:33 PM PST by blueplum
Massive data breaches have become so common that we’ve gotten numb to reports detailing another hack or 0-day exploit. That doesn’t reduce the risk of such events happening, as the cat-and-mouse game between security experts and hackers continues. As some vulnerabilities get fixed, others pop up requiring attention from product and service providers. The newest one has a name that will not mean anything to most people. They call the hack Log4Shell in security briefings, which doesn’t sound very scary. But the new 0-day attack is so significant that some people see it as the worst internet hack in history....
...Patching the vulnerability is possible, and companies have started deploying fixes. But each separate internet entity will have to handle the matter on its own servers and systems. ...
...Meyers is the senior vice president of intelligence at Crowdstrick, a cybersecurity company monitoring the Log4Shell hack. He revealed that hackers “fully weaponized” the vulnerability just 12 hours after researchers initially disclosed it....
(Excerpt) Read more at msn.com ...
The direct link to BGR:
https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/
MSN did not author this article.
What idiot thought it would be a good idea to have RCE capability in a logging utility?
It’s not normally there.
This is a vulnerability that makes that happen to the OS.
tech-ping
I’ve always hated JAVA.
>>It’s not normally there.
Wrong. That “feature” was deliberately coded.
From a different article on it:
The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.
But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.
And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.
The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.
You just proved it's not performing remote code execution. There's nothing in Log4j that lets you run any code. It does a lookup, but that is not executed code or arbitrary code.
>>There’s nothing in Log4j that lets you run any code.
Did you miss THIS?
“And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.”
Downloading and running arbitrary code seems like a bad idea.
Again, log4j does not ever run such code. It does now, only under an exploit.
Ummmmm... that’s what the entire panic is over. A security flaw means that Log4J will retrieve client-supplied URLs including executing Java code. That’s not good.
its a wonderful world
https://www.reuters.com/markets/europe/exclusive-imf-10-countries-simulate-cyber-attack-global-financial-system-2021-12-09/?fbclid=IwAR3fiRQ05BTXjvfc5N_hFlNh0yhH5PbmIe8zCzsfzLMw6L6cKZXUrr6prI0
No.
Thnx for providing such a clear explanation for a semi-techie like me!
I was thinking the same thing. What purpose could it serve?
It’s been impossible here to create new ebay listings via desktop since Friday (apparently ok via mobile apps), wonder if there could be a connection?
bookmark
No.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.