On Sunday, December 12, 2021, Andrew Rowley <[email protected]> wrote:
> On 12/12/2021 1:20 pm, David Crayford wrote: > >> Fingers crossed! The truth is almost no mainframe network (worth its >> salt) is visible to outside world. But that doesn't stop the public servers >> being compromised. >> >> A quick fix if you are unable to update to the patched version is to use >> the following Java property: >> >> ‐Dlog4j2.formatMsgNoLookups=True >> > > It seems slightly unfair to call this a Java vulnerability. It's a > vulnerability in a package written in Java (albeit widely used). If this is > a Java vulnerability, how many C/C++ or even assembler vulnerabilities have > we seen? > > *My understanding* is that the vulnerability can be exploited if you log > data that comes from untrusted sources, e.g. user input like URLs, http > headers, perhaps even invalid userids from login attempts?? So I think it > could be potentially exploited on the mainframe if user input is passed > from a front end and logged on the mainframe. The front end wouldn't need > to be written in Java - just the component doing the logging. Direct > network access and visibility to the outside world is not required. I think > outbound access *is* required for the exploit. > > Conceptually it seems similar to SQL injection attacks. Among other > things, it highlights the danger of working with data from untrusted > sources including http requests, login attempts, etc. > > I agree 100%. And I blame this sort of attack as indications of some combination of ignorance, laziness, and push by management to "get it working immediately!" ( let the users be your beta testers). Also, poor examples in books by "knowledgeable" authors, who are also pushed to publish quickly. My code is paranoid. I trust the users to be untrained and also pushed to "be productive" immediately. So I at least try to put in reasonableness tests, both in the web coding &, if possible, in the server code and in the data definitions (for sql databases). I also, for SQL, use "compiled" expressions and then "execute" those expressions passing the data as parameters ( after validation). This is a simple way, in most SQL, to avoid injection attacks. > -- > Andrew Rowley > Black Hill Software > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
