CCP likely only allowed them to report it because they weren't the ones that found or created the exploit and they knew one of their nation state competitors was using it.
My theory is that the Amazon Web Services (AWS) outages over the last couple of days are related. The log manager is present in a LOT of SaaS and cloud products.
Alibaba reported it, which is basically chinese amazon (they have an alibaba cloud even)
I think you're spot on, if its not Chinese tradecraft, they were allowed to expose it.
The specific systems are email systems using log4j for extended logging metrics. It’s common and major providers are hit heavily. We had to patch it where I am as an updated vector from Apache apparently has been slow to deploy ( from what I heard they said Monday )
This is huge! What does it mean, though? Is there a takeaway for non-IT-professionals? Is this another round of bending over and waiting 5 years to discover that China (or whoever) got all of our personal data again?
"As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. "
This is a massive nightmare in the cyber world right now.
Its a bit dubious it was reported by alibaba
Kind of wondering what Chinese assets may have been hit.
New mod?
does it correlate to .win being down earlier and the aws servers ealier in the week?
CCP likely only allowed them to report it because they weren't the ones that found or created the exploit and they knew one of their nation state competitors was using it.
My theory is that the Amazon Web Services (AWS) outages over the last couple of days are related. The log manager is present in a LOT of SaaS and cloud products.
Alibaba reported it, which is basically chinese amazon (they have an alibaba cloud even)
I think you're spot on, if its not Chinese tradecraft, they were allowed to expose it.
Valid.
The specific systems are email systems using log4j for extended logging metrics. It’s common and major providers are hit heavily. We had to patch it where I am as an updated vector from Apache apparently has been slow to deploy ( from what I heard they said Monday )
This is huge! What does it mean, though? Is there a takeaway for non-IT-professionals? Is this another round of bending over and waiting 5 years to discover that China (or whoever) got all of our personal data again?
I'm guessing someone knew, and was happy to keep quiet about it.
Lots of things were powered down today waiting on a fix. It's that bad.
Hmmm
A nightmare…
Trust me it took all-hands-on-deck to scan code, repositories, servers, etc to look for Log4j specific usage.
Many, many hours and multiply this across all enterprises.
Maxwell prosecution rests, AWS services disruptions, Java servers being actively scanned for vulnerabilities >>> nothing to see here.
I believe the minecraft patch instructions are in this article that popped up.
I need to get this fixed first thing tomorrow when I get back from the day's events tomorrow.
https://www.pcgamer.com/amp/minecraft-java-edition-should-be-patched-immediately-after-high-severity-exploit-discovered-across-web/
"As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. "