critical vulnerability in Apache java opensource logging tool

Anything not relating to the X-Universe games (general tech talk, other games...) belongs here. Please read the rules before posting.

Moderator: Moderators for English X Forum

Post Reply
Vertigo 7
Posts: 3457
Joined: Fri, 14. Jan 11, 17:30
x4

critical vulnerability in Apache java opensource logging tool

Post by Vertigo 7 » Mon, 13. Dec 21, 21:22

https://cve.mitre.org/cgi-bin/cvename.c ... 2021-44228

short version:

Any instance of log4j2 up and including 2.14 is vulnerable to remote code execution attacks on any platform (yes, this includes Linux) via LDAP. This is an opensource logging tool used by many developers, not just Apache web servers. Suggested remediation is to update to version 2.15 or disable certain java controls on this applet.

https://logging.apache.org/log4j/2.x/security.html for additional details.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!

User avatar
red assassin
Posts: 4613
Joined: Sun, 15. Feb 04, 15:11
x3

Re: critical vulnerability in Apache java opensource logging tool

Post by red assassin » Mon, 13. Dec 21, 21:27

Fortunately, if you find any vulnerable servers, you can patch them with this handy tool... whether or not it's your server: https://github.com/Cybereason/Logout4Shell
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way

Vertigo 7
Posts: 3457
Joined: Fri, 14. Jan 11, 17:30
x4

Re: critical vulnerability in Apache java opensource logging tool

Post by Vertigo 7 » Mon, 13. Dec 21, 21:41

True but not so easy to do in the patient care realm. Fortunately, we can block the traffic at the firewall in the meantime while we wait on official patching from the vendors. in the meantime, tho, this Java applet is in use by game developers as well, including Minecraft and other Java based games and apps. It's all over the place.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!

User avatar
red assassin
Posts: 4613
Joined: Sun, 15. Feb 04, 15:11
x3

Re: critical vulnerability in Apache java opensource logging tool

Post by red assassin » Mon, 13. Dec 21, 21:53

For the record, I'm not actually recommending exploiting the vulnerability to patch it on random servers! Unfortunately it's a bit of a challenging vulnerability to mitigate on network in the general case, because you don't know where a value in traffic might end up getting passed to a logger somewhere. (It might not even be in real time!)
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way

Vertigo 7
Posts: 3457
Joined: Fri, 14. Jan 11, 17:30
x4

Re: critical vulnerability in Apache java opensource logging tool

Post by Vertigo 7 » Mon, 13. Dec 21, 22:29

Oh, Steam cloud services are also impacted by this exploit.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!

Vertigo 7
Posts: 3457
Joined: Fri, 14. Jan 11, 17:30
x4

Re: critical vulnerability in Apache java opensource logging tool

Post by Vertigo 7 » Wed, 15. Dec 21, 21:05

https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046

updating the logging tool to 2.15 has not completely remediated the vulnerability in log4j. Current recommendation is to update to 2.16 and some vendors are already making updates available.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!

Vertigo 7
Posts: 3457
Joined: Fri, 14. Jan 11, 17:30
x4

Re: critical vulnerability in Apache java opensource logging tool

Post by Vertigo 7 » Mon, 20. Dec 21, 17:27

https://nvd.nist.gov/vuln/detail/CVE-2021-45105
aaaaand 2.16 is still not good enough.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!

Post Reply

Return to “Off Topic English”