Internet is scrambling to fix Log4Shell, the worst hack in history

BGR via msn ^ | 12 December 2021 | Chris Smith

[ConservativeMind]

The direct link to BGR:

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

MSN did not author this article.

[vikingd00d]

What idiot thought it would be a good idea to have RCE capability in a logging utility?

[ConservativeMind]

It’s not normally there.

This is a vulnerability that makes that happen to the OS.

[Bikkuri]

tech-ping

[Bikkuri]

I’ve always hated JAVA.

[vikingd00d]

>>It’s not normally there.

Wrong. That “feature” was deliberately coded.

From a different article on it:

The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.

But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.

And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.

The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.

[ConservativeMind]

“The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.”

You just proved it's not performing remote code execution. There's nothing in Log4j that lets you run any code. It does a lookup, but that is not executed code or arbitrary code.

[vikingd00d]

>>There’s nothing in Log4j that lets you run any code.

Did you miss THIS?

“And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.”

Downloading and running arbitrary code seems like a bad idea.

[ConservativeMind]

Again, log4j does not ever run such code. It does now, only under an exploit.

[TennesseeProfessor]

Ummmmm... that’s what the entire panic is over. A security flaw means that Log4J will retrieve client-supplied URLs including executing Java code. That’s not good.

[KTM rider]

the anethesiologist I sent a few thousand dollars out of pocket to (for about an hours work) just sent a letter informing me that they had a data breach so I should watch out for identity theft

its a wonderful world

https://www.reuters.com/markets/euro...L6cKZXUrr6prI0

[KTM rider]

could this be related ?

https://www.reuters.com/markets/europe/exclusive-imf-10-countries-simulate-cyber-attack-global-financial-system-2021-12-09/?fbclid=IwAR3fiRQ05BTXjvfc5N_hFlNh0yhH5PbmIe8zCzsfzLMw6L6cKZXUrr6prI0

[TexasGunLover]

No.

[TexasGunLover]

We've been at it (fortune 100 company) all weekend 24/7.

We have over 60k VM's with the vulnerability for over 14k applications.

[Mr Radical]

Thnx for providing such a clear explanation for a semi-techie like me!

[gitmo]

I was thinking the same thing. What purpose could it serve?

[Mr Radical]

It’s been impossible here to create new ebay listings via desktop since Friday (apparently ok via mobile apps), wonder if there could be a connection?

[GOP Poet]

bookmark

[TexasGunLover]

No.