This has been blowing up my various feeds.
I am curious on whether I should be concerned.
I have all my services behind a VPN, with only that port open to allow access from the outside world, which is also on a non default port for wireguard.
At present I havn’t really done anything other than shut down the docker for my kids minecraft server, but that was also never hosted to the outside world.
I did check to see if there was a patch and couldn’t see anything on my phone earlier, so figured the best bet was to just shut’er down until i can find out more.
Would I be correct in assuming that as long as my firewall is good (OPNSense) and wireguard is good, that in essence, im good.
While I have a half decent idea of what I am doing, I am by no means a professional working in this field, yet I also dont want my stuff getting hammered.
edit - for reference one of the big ones was making sure your unifi was up to date, which I have… but again its only ever hosted on the local LAN. I’ll also be quite frank in that i dont think I will have an issue from my neighbours trying to hack my unifi gear.
Not sure about the other services, but Minecraft has a patch. I know spigot also has a patch that is applied with an update. You’ll have to check your docker container to see if these apply to you.
Yes. To exploit this vulnerability it requires network communication with the HTTP service. If all your services are firewalled off from the outside world, then your only threat would be from the inside.
Here are update instructions
Edit: Removed redundant update link already posted above
According to people on the internet it is not vulnerable to this as it doesn’t support JNDI. What’s funny/scary though is that Apple servers that were logging everyone’s Iphone name were vulnerable to this. I think this is mostly the server applications that tend to use log4j.
At work, so haven’t read yet… just thinking, Doesn’t it depend on a per app basis?
The test would have to run each app, and generate a log therein?
But thanks, I wanted a way to check, so I appreciate it!
[edit: unless the like just tests your web page publishing suite, like Apache/whatever, so see if pages you Host will be vulnerable, rather than other Java dependent apps?]
As far as I can tell, they just give an example with HTTP server, but you can log anything that contains that specific string and their test server URL/IP. You probably need to test every app individually I guess.
The more I read, the more it looks like a clusterfuck. Some people theorize if you just pass log data to analysis to vulnerable Java app you can trigger the exploit even if it’s not public facing.
LibreOffice runs on Java, right (not sure)? Does that mean crafting a document to trigger error log that contains the string could be exploitable? Does it even use that log4j? IDK.
Some randos on the Internet suggest searching for it, but AGAIN - THIS IS CODE FROM SOME RANDO ON THE INTERNET:
sudo find / -name 'log4j*'
And since that is not enough as it may be hidden in JAR files, you have to search those too…
for f in $(find / -name '*.jar' 2>/dev/null); do echo "Checking $f..."; unzip -l "$f" | grep -F org/apache/logging/log4j/core/lookup/JndiLookup.class; done
I have no idea if this would be effective in finding anything, but if someone who knows their stuff wishes to take a look, here is the reference.