How do i go about patching? I can’t find anything easily explained in common english. I am not a server or systems admin like a lot of you are. I am new to linux and am very frustrated with trying to figure out how to patch this vulnerability.
Everything is vague and meant for people who have experience with this kind of thing.
Im actually more worried about services that I do not know I am running.
List of known common homelab apps with Log4J? Bad zero day just announced
Are there any other non-homelabbity things I should be worried about? How about other java clients? in other OSes like Android and iOS? I just tried to update stuff. Everything seems fine so far.
Minecraft server, jellyfin, plex, wireguard, handbrake. that is all that i primarily run. it is all on popos. Whatever else that is a process or dependency might be an issue.
To be clear, only the server side is in trouble? Are clients and client programs relatively safe or are we all just ultimately F***ed up because by nature of the vulnerability residing in a server, the servers will eventually pwn all of us as well?
Comes down to what generates (and then validates) logs, surely?
And that could be any number of services?
I don’t run a website, not even a personal blog, but things like cockpit, steam client, filezilla etc, all potentially log stuff. IF
IF
any of them use log4j, a bad string in an error might cause it. but I just gotta hope any apps get patched before exploited. Or, I could run open software, and actually check source code… but I am too smoothbarined for that…
I will be happily corrected, (very grateful) but if a bad actor can a- generate an error, and b- get the string passed to the error, I’m a bit stumped.
even with patched clients (everyone patched their clients by now) it might not be the game itself that reads the log and runs the expoilt. Some plugins might (maybe?)
MS were pretty quick to release a patch to turn off the JSDNI (whatever) check. and just relies on people closing, then opening their app.
for legit copies only, of course…
and again, I’m hypothesising here. happy to be corrected.