Log4j/Log4Shell exploit should I be worried?

Not sure exactly where this topic needs to go.

This has been blowing up my various feeds.
I am curious on whether I should be concerned.
I have all my services behind a VPN, with only that port open to allow access from the outside world, which is also on a non default port for wireguard.
At present I havn’t really done anything other than shut down the docker for my kids minecraft server, but that was also never hosted to the outside world.
I did check to see if there was a patch and couldn’t see anything on my phone earlier, so figured the best bet was to just shut’er down until i can find out more.
Would I be correct in assuming that as long as my firewall is good (OPNSense) and wireguard is good, that in essence, im good.
While I have a half decent idea of what I am doing, I am by no means a professional working in this field, yet I also dont want my stuff getting hammered.

edit - for reference one of the big ones was making sure your unifi was up to date, which I have… but again its only ever hosted on the local LAN. I’ll also be quite frank in that i dont think I will have an issue from my neighbours trying to hack my unifi gear.

4 Likes

Not sure about the other services, but Minecraft has a patch. I know spigot also has a patch that is applied with an update. You’ll have to check your docker container to see if these apply to you.

2 Likes

patch if you can, if you cant, then yes be worried.

2 Likes

Yes. To exploit this vulnerability it requires network communication with the HTTP service. If all your services are firewalled off from the outside world, then your only threat would be from the inside.

Here are update instructions
Edit: Removed redundant update link already posted above

2 Likes

do apps store log4j as a separate file? Like as a .js we might search for?

Or would it be a snippet inside a larger program that generates the logs which log4j handles badly?

I’m guessing the latter, else one could search for a file, and not run the app which uses it, at the expense of the app

1 Like

For this exploit you should indeed be worried if you run java on your edge services (exposed to internet) and have not yet patched.

2 Likes

Does Log4j affect android devices? If so, does that mean we have a bunch of Android phones that can easily be affected by it?

1 Like

According to people on the internet it is not vulnerable to this as it doesn’t support JNDI. What’s funny/scary though is that Apple servers that were logging everyone’s Iphone name were vulnerable to this. I think this is mostly the server applications that tend to use log4j.

1 Like

Here’s a link to a gist of all the responses from companies

2 Likes

Thanks all there are good links and info here

Apparently Rakuten has a repo to test if you are vulnerable.

Full disclosure, I don’t endorse this and have no idea if it may be harmful to run.

1 Like

At work, so haven’t read yet… just thinking, Doesn’t it depend on a per app basis?
The test would have to run each app, and generate a log therein?

But thanks, I wanted a way to check, so I appreciate it!

[edit: unless the like just tests your web page publishing suite, like Apache/whatever, so see if pages you Host will be vulnerable, rather than other Java dependent apps?]

As far as I can tell, they just give an example with HTTP server, but you can log anything that contains that specific string and their test server URL/IP. You probably need to test every app individually I guess.

The more I read, the more it looks like a clusterfuck. Some people theorize if you just pass log data to analysis to vulnerable Java app you can trigger the exploit even if it’s not public facing.
LibreOffice runs on Java, right (not sure)? Does that mean crafting a document to trigger error log that contains the string could be exploitable? Does it even use that log4j? IDK.

Some randos on the Internet suggest searching for it, but AGAIN - THIS IS CODE FROM SOME RANDO ON THE INTERNET:

sudo find / -name 'log4j*'

And since that is not enough as it may be hidden in JAR files, you have to search those too…

for f in $(find / -name '*.jar' 2>/dev/null); do echo "Checking $f..."; unzip -l "$f" | grep -F org/apache/logging/log4j/core/lookup/JndiLookup.class; done

I have no idea if this would be effective in finding anything, but if someone who knows their stuff wishes to take a look, here is the reference.

1 Like

That is what I wasn’t sure.

But, if it was that easy, I presume we would have heard by now

Searching the entire directory tree starting at root for a string inside a file will take ages to run and likely dox production machines.

I do not recommend.

Seriously, if you need to figure something out then get a meeting with all stakeholders and application owners and ask probing questions.

  • “What do you run?”
  • “What is the stack?”
  • “How are logs ingested?”
  • “What is the current patch level?”
  • “Is this an edge service?”
  • “What is the blast radius?”

I can’t seem to find anything on this exploit and nginx. Is nginx affected?

@PhaseLockedLoop

Not directly to my knowledge

Here ya go

2 Likes

Looks like it’s not… NginX is F5 now afaik.