Re: Log4j mitigation

2021-12-11 Thread Stefan Bethke 
Am 11.12.2021 um 04:54 schrieb Andy Ringsmuth :
> 
> The intricacies of Java are over my head, but I’ve been reading about this 
> Log4j issue that sounds pretty bad.
> 
> What do we know about this? What, if anything, can a network operator do to 
> help mitigate this? Or even an end user?

Probably not. The problem lies in the functionality of log4j to do token 
interpolation (think "foo ${bar} baz") not just on the format string that is 
configured, but also on the values passed into the logging function call.

Let that sit for a minute.

For most applications that receive input over the network, I would expect it's 
close to impossible to recognise problematic input that might be logged while 
processing the request, or even at a later stage. The URL is an obvious place, 
but form input, or even the contents of a ZIP file that is being uploaded might 
be processed by logging function calls.

The good news is that setting the Java system property 
log4j2.formatMsgNoLookups to true disables the vulnerable functionality. For 
most Java server applications, that should be a very quick change.


Stefan

--
Stefan BethkeFon +49 151 14070811



signature.asc
Description: Message signed with OpenPGP

Re: Log4j mitigation

2021-12-11 Thread Nick Hilliard 

Andy Ringsmuth wrote on 11/12/2021 03:54:

The intricacies of Java are over my head, but I’ve been reading about this 
Log4j issue that sounds pretty bad.

What do we know about this? What, if anything, can a network operator do to 
help mitigate this? Or even an end user?


The payload can be contained in https, so there is no way of detecting / 
stopping this at the network level.  Installations need to be upgraded / 
fixed.


https://logging.apache.org/log4j/2.x/security.html

1. upgrade log4j to 2.15.0 and restart all java apps
2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment 
variable (v2.10+ only)
4. zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class


There's a lot of scanning going on at the moment, so if you have an 
exposed java instance running something which includes log4j2, you may 
already be compromised.


Nick

Re: Log4j mitigation

2021-12-11 Thread Jared Mauch 
This is largely a patching exercise for people that use the software. If you 
use it, please patch. 

Sent via RFC1925 complaint device

> On Dec 10, 2021, at 10:59 PM, Andy Ringsmuth  wrote:
> 
> The intricacies of Java are over my head, but I’ve been reading about this 
> Log4j issue that sounds pretty bad.
> 
> What do we know about this? What, if anything, can a network operator do to 
> help mitigate this? Or even an end user?
> 
> 
> Andy Ringsmuth
> 5609 Harding Drive
> Lincoln, NE 68521-5831
> (402) 304-0083
> a...@andyring.com

Re: questions about ARIN ipv6 allocation

2021-12-11 Thread John Curran 

On 10 Dec 2021, at 5:00 PM, John Gilmore mailto:g...@toad.com>> 
wrote:
...
Owen, the root of your problem is that you signed an LRSA with ARIN,
rather than keeping your legacy resources un-tainted by an ARIN contract
that deliberately reduced your rights

Signing a contract with ARIN certainly clarifies and makes specific the rights 
involved, but it is not possible to say “reduces” with any certainty as the 
existing rights are rather unclear without a specific statement of what rights 
were granted at the time.   Alas, issuance of number resources in the early 
days did not make the rights or associated obligations clear.   Some legacy 
resource holders find entering into an RSA with ARIN to be quite useful and 
others prefer not to – that choice is up to them, and is not required as the 
the ARIN Board of Trustees has directed that ARIN continue to provide the same 
basic registration services available at our formation to all legacy resource 
holders without fee or contract.

The short-term contract for the transfer honors and retains the legacy
status of those resources: that you own them, not the ARIN fiction that
an RIR now controls them and will steal them from you if you stop paying
them annually.

For organizations that do enter into a registration agreement with ARIN, there 
are indeed obligations (such as payment of registry fees) that are quite real 
but also benefits such as the ability to obtain new services funded by such 
fees and participation in the governance of ARIN.  As noted above - folks can 
enter into an agreement (or not) as they deem best.  Note one of the other 
advantages of the upcoming change to ARIN’s fee structure is that it will also 
open up ARIN membership and voting to all contracted registry customers with 
IPv4 or IPv6 number resources – rather than just those previously deemed ISPs – 
so those who do enter into a RSA and choose to participate in ARIN governance 
will have the equal ability to vote for the Board and set ARIN’s practices with 
regard to legacy resource holders.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers