[AnotherUnixGeek]

Yup - woke up to find out our Bangalore team devops had spent their Sunday working to identify components using log4j and update to 2.15.0.

[TChad]

This even affects Ingenuity, the Mars helicopter.

[Dave Wright]

Its fairly simple to update the log4j library to the latest version and I bet a lot of IT people are spending their weekend doing just that.

The vulnerablity is related to the log4j JndiLookup class that is responsible for string substitutions in the log message. I suspect the hackers can load a bogus hacked file to the server and then replace the intended string substitution with malware code of their choosing from the hacked file.

Disabling the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true will block this vulnerability until the new library can be installed.

[SecondAmendment]

I call shenanigans on this, the claims that are being made do not match up with the corresponding CVE, which requires other internally compromised services to work, such as LDAP.

Methinks this vulnerability as seen in the wild is due to vulnerable Active Directory installations when the CVE is updated and scored.

[dayglored]

Not that there isn’t an IT/Sec/Sysadmin anywhere that isn’t already aware of this, but what the heck, *ping* anyway....

[ConservativeMind]

Heh, we have a lot of software made with that.

Glad I’m not coding. Too many people do not revisit their code and can’t do an upgrade, easily. Heck, even identifying all the software in production using it will take weeks.

[ShadowAce]