Re: [CentOS] log4j cve

2021-12-15 Thread Ralf Prengel


Zitat von Ralf Prengel :




Tools

alle Links ohne Prüfung auf Inhalt und Qualität

https://log4shell.huntress.com/  (Quelle Sven Kuhnert)

https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/





Sorry,
cut & paste error.

Ralf

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-15 Thread Ralf Prengel


Zitat von Steve Meier :


Hello Steve,

Am 2021-12-14 14:14, schrieb Steve Clark:

This is the standard version that comes with CentOS 7 and is the
latest available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch


yes, that's correct, but it is abandoned nonetheless.

According to the RPM's change log, Red Hat backported a fix for  
CVE-2017-5645.

They have not done this for CVE-2019-17571 it seems.
I would be very surprised if they'd do so now.

Kind regards,
  Steve
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




Tools

alle Links ohne Prüfung auf Inhalt und Qualität

https://log4shell.huntress.com/  (Quelle Sven Kuhnert)

https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/





Anwendung
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2129 UTC · GitHub



https://logging.apache.org/log4j/2.x/security.html


Presse
https://www.heise.de/news/Log4j-2-16-0-verbessert-Schutz-vor-Log4Shell-Luecke-6294053.html

https://www.golem.de/news/log4j-luecke-warum-log4shell-so-gefaehrlich-ist-und-was-nicht-hilft-2112-161757-4.html

Hinweis: In den Kommentaren zu den Artikeln finden sich Einschätzungen  
und Hinweise neuste Artikel oben


https://www.heise.de/ratgeber/Schutz-vor-schwerwiegender-Log4j-Luecke-was-jetzt-hilft-und-was-nicht-6292961.html

https://www.golem.de/news/log4shell-bsi-vergibt-hoechste-warnstufe-fuer-log4j-luecke-2112-161734.html

https://www.spiegel.de/netzwelt/web/log4j-luecke-bundesbehoerden-von-schwerer-it-schwachstelle-betroffen-a-6cb889d2-ba8d-48f8-a27a-f923bf11b563

https://www.spiegel.de/netzwelt/web/log4-j-schwachstelle-ja-leute-die-scheisse-brennt-lichterloh-a-760bd03d-42d2-409c-a8d2-d5b13a9150fd

https://www.spiegel.de/netzwelt/web/bundesbehoerde-warnt-vor-schwachstelle-in-weit-verbreiteter-software-a-55bc413b-2e01-446c-8ee6-5fabfee3b0f2

fachliche Quellen
https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html

https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2021/12/warnmeldung_cb-k21-1264.html?nn=520170

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile=3

Apache Releases Log4j Version 2.15.0 to Address Critical RCE  
Vulnerability Under Exploitation | CISA


Java-Schwachstelle Log4Shell – Was passiert ist und was zu tun ist –  
Sophos News


Log4Shell explained – how it works, why you need to know, and how to  
fix it – Naked Security (sophos.com)



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Stuart Barkley
On Tue, 14 Dec 2021 at 07:42 -, Steve Clark via CentOS wrote:

> I see on CentOS 7 it has log4j-1.2.17...
> Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something
> was backported to 1.2 ?

According to https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Redhat 7 is not impacted by this problem.  This may still be something
in flux.  We are recoving all instances of log4j from our systems, the
software using it is not important to us just a convience.

Stuart
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Markus Falb
On Tue, 2021-12-14 at 14:31 +0100, Steve Meier wrote:
> Hello Steve,
> 
> Am 2021-12-14 14:14, schrieb Steve Clark:
> >  This is the standard version that comes with CentOS 7 and is the
> > latest available as of a yum update just now.
> > log4j-1.2.17-16.el7_4.noarch
> 
> yes, that's correct, but it is abandoned nonetheless.
> 
> According to the RPM's change log, Red Hat backported a fix for 
> CVE-2017-5645.
> They have not done this for CVE-2019-17571 it seems.
> I would be very surprised if they'd do so now.


https://access.redhat.com/node/4677071According to that link CVE-2019-17571 is 
the same issue as CVE-2017-
5645 and both are listed as fixed in this errata:
https://access.redhat.com/errata/RHSA-2017:2423

So I think it's fixed.
Best regards, markus

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Simon Matter
> Hello Steve,
>
> Am 2021-12-14 14:14, schrieb Steve Clark:
>>  This is the standard version that comes with CentOS 7 and is the
>> latest available as of a yum update just now.
>> log4j-1.2.17-16.el7_4.noarch
>
> yes, that's correct, but it is abandoned nonetheless.
>
> According to the RPM's change log, Red Hat backported a fix for
> CVE-2017-5645.
> They have not done this for CVE-2019-17571 it seems.
> I would be very surprised if they'd do so now.

It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645:

https://access.redhat.com/node/4677071

Regards,
Simon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Mike Burger

On 2021-12-14 08:31, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 14:14, schrieb Steve Clark:

 This is the standard version that comes with CentOS 7 and is the
latest available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch


yes, that's correct, but it is abandoned nonetheless.

According to the RPM's change log, Red Hat backported a fix for 
CVE-2017-5645.

They have not done this for CVE-2019-17571 it seems.
I would be very surprised if they'd do so now.


Well, given that they indicated on their page for this CVE that they 
were still investigating the potential for the vulnerability existing in 
1.2, it may happen.


It would be nice if there was a log4j-2 RPM available for C7, but as of 
this point, I've not been been able to locate one.


--
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Steve Meier

Hello Steve,

Am 2021-12-14 14:14, schrieb Steve Clark:

 This is the standard version that comes with CentOS 7 and is the
latest available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch


yes, that's correct, but it is abandoned nonetheless.

According to the RPM's change log, Red Hat backported a fix for 
CVE-2017-5645.

They have not done this for CVE-2019-17571 it seems.
I would be very surprised if they'd do so now.

Kind regards,
  Steve
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Steve Clark via CentOS

On 12/14/21 8:07 AM, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:


Hi List,

I see on CentOS 7 it has log4j-1.2.17...
Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if
something was backported to 1.2 ?

Thanks,
Steve



log4j Version 1.2 is definitely *NOT* OK to use.

The Apache website https://logging.apache.org/log4j/1.2/ says:
"On August 5, 2015 the Logging Services Project Management Committee
 announced that Log4j 1.x had reached end of life."

There is already an unpatched CVE from 2019 for log4j 1.2.

It's really time to upgrade.

Kind regards,
  Steve



This is the standard version that comes with CentOS 7 and is the latest 
available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch

--
Stephen Clark
NetWolves Managed Services, LLC.
Sr. Applications Architect

Email Confidentiality Notice: The information contained in this transmission 
may contain privileged and confidential and/or protected health information 
(PHI) and may be subject to protection under the law, including the Health 
Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This 
transmission is intended for the sole use of the individual or entity to whom 
it is addressed. If you are not the intended recipient, you are notified that 
any use, dissemination, distribution, printing or copying of this transmission 
is strictly prohibited and may subject you to criminal or civil penalties. If 
you have received this transmission in error, please contact the sender 
immediately and delete this email and any attachments from any computer. Vaso 
Corporation and its subsidiary companies are not responsible for data leaks 
that result from email messages received that contain privileged and 
confidential and/or protected health information (PHI).
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] log4j cve

2021-12-14 Thread Steve Meier

Hello Steve,

Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:

Hi List,

I see on CentOS 7 it has log4j-1.2.17...
Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if
something was backported to 1.2 ?

Thanks,
Steve


log4j Version 1.2 is definitely *NOT* OK to use.

The Apache website https://logging.apache.org/log4j/1.2/ says:
"On August 5, 2015 the Logging Services Project Management Committee
 announced that Log4j 1.x had reached end of life."

There is already an unpatched CVE from 2019 for log4j 1.2.

It's really time to upgrade.

Kind regards,
  Steve
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


[CentOS] log4j cve

2021-12-14 Thread Steve Clark via CentOS

Hi List,

I see on CentOS 7 it has log4j-1.2.17...
Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something 
was backported to 1.2 ?

Thanks,
Steve
--
Stephen Clark
NetWolves Managed Services, LLC.
Sr. Applications Architect

Email Confidentiality Notice: The information contained in this transmission 
may contain privileged and confidential and/or protected health information 
(PHI) and may be subject to protection under the law, including the Health 
Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This 
transmission is intended for the sole use of the individual or entity to whom 
it is addressed. If you are not the intended recipient, you are notified that 
any use, dissemination, distribution, printing or copying of this transmission 
is strictly prohibited and may subject you to criminal or civil penalties. If 
you have received this transmission in error, please contact the sender 
immediately and delete this email and any attachments from any computer. Vaso 
Corporation and its subsidiary companies are not responsible for data leaks 
that result from email messages received that contain privileged and 
confidential and/or protected health information (PHI).
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos