SO. If you already patched Log4J you have to patch again. There’s a new Denial of Service attack. Just dropped a few hours ago. Yes, this again.
IF YOU WERE DEPENDING ON JAVA VERSIONS TO PROTECT YOU FROM RCE INSTEAD OF DIRECTLY PATCHING LOG4J THAT IS NO LONGER A VIABLE MITIGATION STRATEGY.
ALL VERSIONS OF JAVA CAN NOW TRIGGER FULL RCE DUE TO A BYPASS
PATCH LOG4J ASAP!
The Patched Version
https://logging.apache.org/log4j/2.x/download.html
Apache Post
https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Common Homelab App’s Vulnerability Checklist
List of Companies Responses
What does this mean now?
Oh dear, they have to upload that to Mars 2020 now.
So how do I patch this on my lowly personal pc?
For personal PC’s, the vendor for what ever java software you’re running will need to supply a patched version of their app (if they were affected).
Like Minecraft that claims their 1.18.1 version is now immune as of 2 days ago.
Has anyone gotten the Docker scan tool working?
How do i go about patching? I can’t find anything easily explained in common english. I am not a server or systems admin like a lot of you are. I am new to linux and am very frustrated with trying to figure out how to patch this vulnerability.
Everything is vague and meant for people who have experience with this kind of thing.
Tell me every service you run, we can go down the list one by one and determine the blast radius for you.
Im actually more worried about services that I do not know I am running.
List of known common homelab apps with Log4J? Bad zero day just announced
Are there any other non-homelabbity things I should be worried about? How about other java clients? in other OSes like Android and iOS? I just tried to update stuff. Everything seems fine so far.
Minecraft server, jellyfin, plex, wireguard, handbrake. that is all that i primarily run. it is all on popos. Whatever else that is a process or dependency might be an issue.
The only one to worry about is the Minecraft server. And if you’ve patched to the latest version of you’ll be fine.
To be clear, only the server side is in trouble? Are clients and client programs relatively safe or are we all just ultimately F***ed up because by nature of the vulnerability residing in a server, the servers will eventually pwn all of us as well?
any java program using log4j is vulnerable.
Even clients.
Only if the client remains unpatched though.
I could be wrong but…
Comes down to what generates (and then validates) logs, surely?
And that could be any number of services?
I don’t run a website, not even a personal blog, but things like cockpit, steam client, filezilla etc, all potentially log stuff. IF
I will be happily corrected, (very grateful) but if a bad actor can a- generate an error, and b- get the string passed to the error, I’m a bit stumped.
you can send a chat message on a minecraft server and own everyone logged in. If that kinda explains the impact.
even with patched clients (everyone patched their clients by now) it might not be the game itself that reads the log and runs the expoilt. Some plugins might (maybe?)
MS were pretty quick to release a patch to turn off the JSDNI (whatever) check. and just relies on people closing, then opening their app.
for legit copies only, of course…
and again, I’m hypothesising here. happy to be corrected.
