Re: [PLUG] Apache Log4j 0-day

JP Vossen via plug on 11 Dec 2021 10:18:41 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Apache Log4j 0-day

From: JP Vossen via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Apache Log4j 0-day
Date: Sat, 11 Dec 2021 13:18:35 -0500
Reply-to: JP Vossen <jp@jpsdomain.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0

On 12/11/21 10:11 AM, Chad Waters via plug wrote:

On Fri, Dec 10, 2021 at 7:04 PM Keith C. Perry via plug <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:

    Passing this along since it seems rather serious for those that use this module.

    https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit <https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit>

Of course this happened on my day off. It is in some Ubiquiti stuff. I patched my home UDM yesterday.


This seems like a big one.  It's an unauthenticated remote code execution bug in a bunch of Apache products that are used a LOT of places, a lot of which are connected to the internet.  There is active scanning for this now.

More links:
The first one I saw breaking this news: https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html

* https://logging.apache.org/log4j/2.x/security.html
* https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
* https://www.bleepingcomputer.com/news/security/minecraft-rushes-out-patch-for-critical-log4j-vulnerability/
** The vulnerability is fixed with the release of Minecraft: Java Edition 1.18.1...
* https://www.theregister.com/2021/12/10/log4j_remote_code_execution_vuln_patch_issued/
* https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Notes from https://www.bleepingcomputer.com/news/security/minecraft-rushes-out-patch-for-critical-log4j-vulnerability/
* Apache has already released Log4j 2.15.0 to address this maximum severity vulnerability
* CVE-2021-44228 can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.

Later,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Apache Log4j 0-day
  - From: Chad Waters via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Apache Log4j 0-day
  - From: "Keith C. Perry via plug" <plug@lists.phillylinux.org>
- Re: [PLUG] Apache Log4j 0-day
  - From: Chad Waters via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] Topic for PLUG North on Tuesday?
Next by Date: Re: [PLUG] Apache Log4j 0-day
Previous by thread: Re: [PLUG] Apache Log4j 0-day
Next by thread: Re: [PLUG] Apache Log4j 0-day
Index(es):
- Date
- Thread