SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    Log4j -- The Internet is on fire. HUGE global security vulnerability.
Page 1 2 
Go
New
Find
Notify
Tools
Reply
  
Log4j -- The Internet is on fire. HUGE global security vulnerability. Login/Join 
Seeker of Clarity
Picture of r0gue
posted
Just Google Log4j. There's no end to the articles already, and it will just continue.

Cliff Notes: Many/Most/All(?) software vendors use bits of old code when they build new code. Some use a lot. Many use open source (unlicensed and free to use) software called Java under the hood of their commercial software. A new vulnerability allows remote bad actors to take over any system with this flaw with trivial ease. This vulnerability is thought to be present in HUNDREDS OF MILLIONS of systems world-wide.

Software re-use. They built castles on a free foundation, which we now learn is terribly flawed. It’s used in damn near everything. From global top tier software, to refrigerators. And this (ubiquitous use of Java) was NOT unknown. We’ve been talking about this for years. The industry I mean, not just me or my team.

It was in my home Ubiquiti router. I had to do an upgrade yesterday. And I'm still not sure someone didn't plant something for future access. We're patching multiple internal systems at work. Luckily none exposed to the Internet.

-- Some quotes from articles this morning:

“If you have an internet-facing server vulnerable to Log4Shell that you haven't patched yet, you almost certainly have an incident response on your hands,” says incident responder and former NSA hacker Jake Williams. “Threat actors were quick to operationalize this vulnerability."

“In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays. You don’t want to think about the worst-case scenario.”




 
Posts: 11472 | Registered: August 02, 2004Reply With QuoteReport This Post
chickenshit
Picture of rsbolo
posted Hide Post
Oh joy.

Thanks for the heads up.


____________________________
Yes, Para does appreciate humor.
 
Posts: 8000 | Location: East Central FL | Registered: January 05, 2009Reply With QuoteReport This Post
Seeker of Clarity
Picture of r0gue
posted Hide Post
Watch out for kid's software on you home computers/hardware. A lot of games use this stuff. Minecraft for example. If they log into web services with any Java based games, it's a big risk until this is patched up. Including the game, on your hardware.

It's under the covers on damn near everything. This is gonna leave a mark I'm afraid. Frown




 
Posts: 11472 | Registered: August 02, 2004Reply With QuoteReport This Post
Happily Retired
Picture of Bassamatic
posted Hide Post
Yeah, I think we have known this since Al Gore invented the internet. The more of your personal data that you put out there, the more vulnerable you become. Buyer beware.



.....never marry a woman who is mean to your waitress.
 
Posts: 5186 | Location: Lake of the Ozarks, MO. | Registered: September 05, 2005Reply With QuoteReport This Post
Member
Picture of PGT
posted Hide Post
For the non-technical, a picture is worth 1000 words

 
Posts: 3186 | Location: Loudoun VA | Registered: December 21, 2014Reply With QuoteReport This Post
Member
Picture of erj_pilot
posted Hide Post
Source article link?? Thank you…



"If you’re a leader, you lead the way. Not just on the easy ones; you take the tough ones too…” – MAJ Richard D. Winters (1918-2011), E Company, 2nd Battalion, 506th Parachute Infantry Regiment, 101st Airborne

"Woe to those who call evil good, and good evil... Therefore, as tongues of fire lick up straw and as dry grass sinks down in the flames, so their roots will decay and their flowers blow away like dust; for they have rejected the law of the Lord Almighty and spurned the word of the Holy One of Israel." - Isaiah 5:20,24
 
Posts: 11066 | Location: NW Houston | Registered: April 04, 2012Reply With QuoteReport This Post
Member
Picture of SPWAMike0317
posted Hide Post
Here is a breakdown. https://www.zdnet.com/article/...to-protect-yourself/

"A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework."

FWIW, logging errors in applications is critical. Apache is widely deployed so log4J is out there.

The question for all CEO's: Can your CIO/CSO provide a detailed inventory of applications that use the vulnerable versions of log4j? Now, can that inventory be provided within an hour of your request? If not, your DevOps program is out of control and you are vulnerable.

I worked over 40 years in IT Infrastructure. My last two years involved many conversations with "DevOps" folks on the need for version control, change control and security measures. My take? There are some organizations that will be hit hard because they didn't implement a secure DevOps program.

It's not TEOTWAWKI but it will be career ending for some CIO/CSO. Any CIO/CSO that cannot produce that inventory within 1 hour of request has failed and should be called to task.



Let me help you out. Which way did you come in?
 
Posts: 766 | Location: North of Pittsburgh, PA | Registered: January 29, 2013Reply With QuoteReport This Post
Member
posted Hide Post
Glad I have an older refrigerator.
 
Posts: 4979 | Registered: April 20, 2010Reply With QuoteReport This Post
Domari Nolo
Picture of Chris17404
posted Hide Post
Yep. Dealing with this at work.



 
Posts: 2352 | Location: York, PA | Registered: May 17, 2006Reply With QuoteReport This Post
Member
Picture of ridewv
posted Hide Post
As long as it doesn't crash my wood stove or well pump I'll be alright.


No car is as much fun to drive, as any motorcycle is to ride.
 
Posts: 7390 | Location: Northern WV | Registered: January 17, 2005Reply With QuoteReport This Post
Purveyor of
Fine Avatars
Picture of Orguss
posted Hide Post
Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?



"I'm yet another resource-consuming kid in an overpopulated planet raised to an alarming extent by Hollywood and Madison Avenue, poised with my cynical and alienated peers to take over the world when you're old and weak!" - Calvin, "Calvin & Hobbes"
 
Posts: 18126 | Location: Sonoma County, CA | Registered: April 09, 2004Reply With QuoteReport This Post
Yew got a spider
on yo head
Picture of DoctorSolo
posted Hide Post
quote:
Originally posted by Orguss:
Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?


Seriously.
 
Posts: 5253 | Location: Colorado Springs | Registered: April 12, 2006Reply With QuoteReport This Post
Dances With
Tornados
posted Hide Post
I know nothing about this, but I just want to ask, is Apple more secure, more resistant, whatever, to this stuff? Seems like I never hear about Apple getting virus or malware????

Thanks
.
 
Posts: 12064 | Location: Near Hooker Oklahoma, closer to Slapout Oklahoma | Registered: October 26, 2009Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by r0gue:
It was in my home Ubiquiti router.

In the router, or in the Ubiquiti UniFi Network framework? Near as I've been able to tell, only in the latter. E.g.: My Ubiquiti ERL is not vulnerable.

quote:
Originally posted by SPWAMike0317:
"A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework."

FWIW, logging errors in applications is critical. Apache is widely deployed so log4J is out there.

Yes, Apache is widely-deployed, but, as noted in the cited article, log4j will be present only if there's a Java framework.

I've Apache deployed on three Internet-facing servers. None have any Java frameworks installed. Thus none are vulnerable.

For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software

None of my Internet-facing devices or services are vulnerable. If I have any IoT devices vulnerable I'm not overly-concerned, as I don't allow arbitrary connections from the Internet to devices on my internal LAN.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26032 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Fighting the good fight
Picture of RogueJSK
posted Hide Post
quote:
Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software


Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.
 
Posts: 33458 | Location: Northwest Arkansas | Registered: January 06, 2008Reply With QuoteReport This Post
Info Guru
Picture of BamaJeepster
posted Hide Post
quote:
Originally posted by RogueJSK:
quote:
Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software


Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.


The Virginia legislative system has been down since Monday..
https://wset.com/news/local/vi...re-ransomware-attack

One of our vendors reported they were down on Monday as well - luckily we don't use them for this, but they have a lot of companies that do use them for HR and Payroll...All down and their best estimate is several weeks. Imagine your timeclock, HR and payroll being down from now thru the end of the year Eek Eek

https://www.usatoday.com/story...ack-2021/6501274001/



“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and evidence.”
- John Adams
 
Posts: 29408 | Location: In the red hinterlands of Deep Blue VA | Registered: June 29, 2001Reply With QuoteReport This Post
Member
posted Hide Post
quote:
Originally posted by RogueJSK:
quote:
Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software


Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.


Likely, the state does not run its own servers or networks. It’ll all be farmed out to the lowest bidder vendors. IBM, VMWARE, Oracle, F5, etc. etc. Moreover, it’ll be a combination of all of these vendors, not just one overall. It’ll be a CRITSIT shitshow for sure.

The saving grace is that the hackers are not probably very interested in court records but the more high value targets like Vangaurd, Fidelity, banks.

Makes me wonder how much of the bitcoin stuff has this vulnerability baked into it. Stay tuned I suppose.



 
Posts: 4756 | Registered: July 06, 2005Reply With QuoteReport This Post
W07VH5
Picture of mark123
posted Hide Post
quote:
Originally posted by Orguss:
Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?
Yeah. It needs to be scrapped. If it’s needed with no alternative, it needs to be run on a VM that’s locked down with no external access.
 
Posts: 45677 | Location: Pennsyltucky | Registered: December 05, 2001Reply With QuoteReport This Post
Member
Picture of sigcrazy7
posted Hide Post
You're hating it if you work for Cisco. Those folks must be in full on crisis mode.

I don't see Apple, MSFT other than Azure, and Synology on the list. I should be GTG. I'm not running any Dockers at the moment, so no worries there.



Demand not that events should happen as you wish; but wish them to happen as they do happen, and you will go on well. -Epictetus
 
Posts: 8292 | Location: Utah | Registered: December 18, 2008Reply With QuoteReport This Post
A Grateful American
Picture of sigmonkey
posted Hide Post
Checked the list.

sigmonkey 1.0 retired not vulnerable




"the meaning of life, is to give life meaning" Ani Yehudi אני יהודי Le'olam lo shuv לעולם לא שוב!
 
Posts: 44715 | Location: ...... I am thrice divorced, and I live in a van DOWN BY THE RIVER!!! (in Arkansas) | Registered: December 20, 2008Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2  
 

SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    Log4j -- The Internet is on fire. HUGE global security vulnerability.

© SIGforum 2024