Log4J CVE-2021-44228

SO. If you already patched Log4J you have to patch again. There’s a new Denial of Service attack. Just dropped a few hours ago. Yes, this again.

IF YOU WERE DEPENDING ON JAVA VERSIONS TO PROTECT YOU FROM RCE INSTEAD OF DIRECTLY PATCHING LOG4J THAT IS NO LONGER A VIABLE MITIGATION STRATEGY.

ALL VERSIONS OF JAVA CAN NOW TRIGGER FULL RCE DUE TO A BYPASS

PATCH LOG4J ASAP!

https://t.co/08Vk9pXBGN

4 Likes

The Patched Version
https://logging.apache.org/log4j/2.x/download.html

Apache Post

https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4

Common Homelab App’s Vulnerability Checklist

List of Companies Responses

2 Likes

What does this mean now?

2 Likes

Oh dear, they have to upload that to Mars 2020 now.

3 Likes

So how do I patch this on my lowly personal pc?

2 Likes

For personal PC’s, the vendor for what ever java software you’re running will need to supply a patched version of their app (if they were affected).

1 Like

Like Minecraft that claims their 1.18.1 version is now immune as of 2 days ago.

1 Like

Has anyone gotten the Docker scan tool working?

1 Like

How do i go about patching? I can’t find anything easily explained in common english. I am not a server or systems admin like a lot of you are. I am new to linux and am very frustrated with trying to figure out how to patch this vulnerability.

Everything is vague and meant for people who have experience with this kind of thing.

3 Likes

Tell me every service you run, we can go down the list one by one and determine the blast radius for you.

2 Likes

Im actually more worried about services that I do not know I am running.

List of known common homelab apps with Log4J? Bad zero day just announced

Are there any other non-homelabbity things I should be worried about? How about other java clients? in other OSes like Android and iOS? I just tried to update stuff. Everything seems fine so far.

4 Likes

Here is a screenshot of a post from the Red Team director at United Airlines.

5 Likes

Minecraft server, jellyfin, plex, wireguard, handbrake. that is all that i primarily run. it is all on popos. Whatever else that is a process or dependency might be an issue.

1 Like

The only one to worry about is the Minecraft server. And if you’ve patched to the latest version of you’ll be fine.

3 Likes

To be clear, only the server side is in trouble? Are clients and client programs relatively safe or are we all just ultimately F***ed up because by nature of the vulnerability residing in a server, the servers will eventually pwn all of us as well?

1 Like

any java program using log4j is vulnerable.

Even clients.

Only if the client remains unpatched though.

3 Likes

I could be wrong but…

Comes down to what generates (and then validates) logs, surely?

And that could be any number of services?

I don’t run a website, not even a personal blog, but things like cockpit, steam client, filezilla etc, all potentially log stuff. IF

IF

any of them use log4j, a bad string in an error might cause it. but I just gotta hope any apps get patched before exploited. Or, I could run open software, and actually check source code… but I am too smoothbarined for that…

I will be happily corrected, (very grateful) but if a bad actor can a- generate an error, and b- get the string passed to the error, I’m a bit stumped.

4 Likes

you can send a chat message on a minecraft server and own everyone logged in. If that kinda explains the impact.

5 Likes

even with patched clients (everyone patched their clients by now) it might not be the game itself that reads the log and runs the expoilt. Some plugins might (maybe?)

MS were pretty quick to release a patch to turn off the JSDNI (whatever) check. and just relies on people closing, then opening their app.

for legit copies only, of course…

and again, I’m hypothesising here. happy to be corrected.

1 Like