Go | New | Find | Notify | Tools | Reply |
Seeker of Clarity |
Just Google Log4j. There's no end to the articles already, and it will just continue. Cliff Notes: Many/Most/All(?) software vendors use bits of old code when they build new code. Some use a lot. Many use open source (unlicensed and free to use) software called Java under the hood of their commercial software. A new vulnerability allows remote bad actors to take over any system with this flaw with trivial ease. This vulnerability is thought to be present in HUNDREDS OF MILLIONS of systems world-wide. Software re-use. They built castles on a free foundation, which we now learn is terribly flawed. It’s used in damn near everything. From global top tier software, to refrigerators. And this (ubiquitous use of Java) was NOT unknown. We’ve been talking about this for years. The industry I mean, not just me or my team. It was in my home Ubiquiti router. I had to do an upgrade yesterday. And I'm still not sure someone didn't plant something for future access. We're patching multiple internal systems at work. Luckily none exposed to the Internet. -- Some quotes from articles this morning: “If you have an internet-facing server vulnerable to Log4Shell that you haven't patched yet, you almost certainly have an incident response on your hands,” says incident responder and former NSA hacker Jake Williams. “Threat actors were quick to operationalize this vulnerability." “In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays. You don’t want to think about the worst-case scenario.” | ||
|
chickenshit |
Oh joy. Thanks for the heads up. ____________________________ Yes, Para does appreciate humor. | |||
|
Seeker of Clarity |
Watch out for kid's software on you home computers/hardware. A lot of games use this stuff. Minecraft for example. If they log into web services with any Java based games, it's a big risk until this is patched up. Including the game, on your hardware. It's under the covers on damn near everything. This is gonna leave a mark I'm afraid. | |||
|
Happily Retired |
Yeah, I think we have known this since Al Gore invented the internet. The more of your personal data that you put out there, the more vulnerable you become. Buyer beware. .....never marry a woman who is mean to your waitress. | |||
|
Member |
For the non-technical, a picture is worth 1000 words | |||
|
Member |
Source article link?? Thank you… "If you’re a leader, you lead the way. Not just on the easy ones; you take the tough ones too…” – MAJ Richard D. Winters (1918-2011), E Company, 2nd Battalion, 506th Parachute Infantry Regiment, 101st Airborne "Woe to those who call evil good, and good evil... Therefore, as tongues of fire lick up straw and as dry grass sinks down in the flames, so their roots will decay and their flowers blow away like dust; for they have rejected the law of the Lord Almighty and spurned the word of the Holy One of Israel." - Isaiah 5:20,24 | |||
|
Member |
Here is a breakdown. https://www.zdnet.com/article/...to-protect-yourself/ "A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework." FWIW, logging errors in applications is critical. Apache is widely deployed so log4J is out there. The question for all CEO's: Can your CIO/CSO provide a detailed inventory of applications that use the vulnerable versions of log4j? Now, can that inventory be provided within an hour of your request? If not, your DevOps program is out of control and you are vulnerable. I worked over 40 years in IT Infrastructure. My last two years involved many conversations with "DevOps" folks on the need for version control, change control and security measures. My take? There are some organizations that will be hit hard because they didn't implement a secure DevOps program. It's not TEOTWAWKI but it will be career ending for some CIO/CSO. Any CIO/CSO that cannot produce that inventory within 1 hour of request has failed and should be called to task. Let me help you out. Which way did you come in? | |||
|
Member |
Glad I have an older refrigerator. | |||
|
Domari Nolo |
Yep. Dealing with this at work. | |||
|
Member |
As long as it doesn't crash my wood stove or well pump I'll be alright. No car is as much fun to drive, as any motorcycle is to ride. | |||
|
Purveyor of Fine Avatars |
Oh noes! A security flaw with Java?! Say it ain't so! When hasn't there been an issue with Java? "I'm yet another resource-consuming kid in an overpopulated planet raised to an alarming extent by Hollywood and Madison Avenue, poised with my cynical and alienated peers to take over the world when you're old and weak!" - Calvin, "Calvin & Hobbes" | |||
|
Yew got a spider on yo head |
Seriously. | |||
|
Dances With Tornados |
I know nothing about this, but I just want to ask, is Apple more secure, more resistant, whatever, to this stuff? Seems like I never hear about Apple getting virus or malware???? Thanks . | |||
|
Nullus Anxietas |
In the router, or in the Ubiquiti UniFi Network framework? Near as I've been able to tell, only in the latter. E.g.: My Ubiquiti ERL is not vulnerable.
Yes, Apache is widely-deployed, but, as noted in the cited article, log4j will be present only if there's a Java framework. I've Apache deployed on three Internet-facing servers. None have any Java frameworks installed. Thus none are vulnerable. For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software None of my Internet-facing devices or services are vulnerable. If I have any IoT devices vulnerable I'm not overly-concerned, as I don't allow arbitrary connections from the Internet to devices on my internal LAN. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Fighting the good fight |
Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications. I'm sure the state IT guys are running around with their hair on fire right now. | |||
|
Info Guru |
The Virginia legislative system has been down since Monday.. https://wset.com/news/local/vi...re-ransomware-attack One of our vendors reported they were down on Monday as well - luckily we don't use them for this, but they have a lot of companies that do use them for HR and Payroll...All down and their best estimate is several weeks. Imagine your timeclock, HR and payroll being down from now thru the end of the year https://www.usatoday.com/story...ack-2021/6501274001/ “Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and evidence.” - John Adams | |||
|
Member |
Likely, the state does not run its own servers or networks. It’ll all be farmed out to the lowest bidder vendors. IBM, VMWARE, Oracle, F5, etc. etc. Moreover, it’ll be a combination of all of these vendors, not just one overall. It’ll be a CRITSIT shitshow for sure. The saving grace is that the hackers are not probably very interested in court records but the more high value targets like Vangaurd, Fidelity, banks. Makes me wonder how much of the bitcoin stuff has this vulnerability baked into it. Stay tuned I suppose. | |||
|
W07VH5 |
Yeah. It needs to be scrapped. If it’s needed with no alternative, it needs to be run on a VM that’s locked down with no external access. | |||
|
Member |
You're hating it if you work for Cisco. Those folks must be in full on crisis mode. I don't see Apple, MSFT other than Azure, and Synology on the list. I should be GTG. I'm not running any Dockers at the moment, so no worries there. Demand not that events should happen as you wish; but wish them to happen as they do happen, and you will go on well. -Epictetus | |||
|
A Grateful American |
Checked the list. sigmonkey 1.0 retired not vulnerable "the meaning of life, is to give life meaning" ✡ Ani Yehudi אני יהודי Le'olam lo shuv לעולם לא שוב! | |||
|
Powered by Social Strata | Page 1 2 |
Please Wait. Your request is being processed... |