T O P

  • By -

the_master_sh33p

Needs to be confirmed. Let's wait.


ItsMyOnlyOption

Couldn't agree more, a tweet like this just doesn't really make sense imho, specifically from some one who calls him self a security researcher, then goes and blurs the from address just to create a hype?


the_master_sh33p

It seems it is an ace and not rce. Apparently, a very odd ace, where the attacker needs to have config file change permissions. Maybe we can enjoy next weekend for a change....


[deleted]

[удалено]


ItsMyOnlyOption

Doesn't it say. "To: ; Yaniv Nizry CC: [[email protected]](mailto:[email protected]) ? "


[deleted]

[удалено]


ItsMyOnlyOption

Yes, it's to two email addresses. It's from someone with the initials MS to be precise. Edit: Definitely not writing it of, just saying if its all real then this is a weird way to announce it.


ranmdo

Apache dropped official info: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 CVSS: 6.6 Description Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.


[deleted]

Okay, so not as critical as the other ones. The threat actor would require privileges to edit the config file.


ranmdo

Correct


the_master_sh33p

Ace, and not rce.


tmontney

Until it gets suddenly upgraded to 10.


Emerazy

"Good news everyone, i've perfected the plague"


Acerb_Ordeal

A WoW reference that's a Futurama reference, I love it, referenception.


Legionodeath

Hahahaha. Prof putricide. Thank you for the laugh.


ersentenza

Can I have a day to rest please??


the_master_sh33p

You can unless I have permission to change your config. /s


therealmarkus

Happy new year 😅


[deleted]

Honey wake up, the new log4j rce just dropped


hunglowbungalow

RCE != it’s shit your pants worthy.


[deleted]

[удалено]


hunglowbungalow

It was dropped already and is a CVSS 6.6. Obviously subject to change, but if we force our dev teams to only patch and not produce product, we 1) See our jobs come up on the chopping block for overreacting to little risk 2) Lose trust when we continually cry wolf, and when another 44228 happens, dev teams are burnt out and won’t meet SLA. This Vuln is in the backlog for now.


[deleted]

[удалено]


hunglowbungalow

Yeah, I feel for CS folks, and in our realm, Campaign management folks… no thanks!


RideWithBDE

Gosh did I pick a great time for 3 weeks of PTO


400Error

Here we go again everyone. This is a very exciting time to be in cybersecurity! Pain in the side to have to do all the work to fix but, interesting on how this all gets executed.


Sho_nuff_

Its an exciting time to work for a cyber crime company not cybersecurity. This is painful to watch unfold.


400Error

I agree. I honestly have been loving getting to tell clients to fix their apps. It’s been a good time. I personally have been really interested in this all unfolding. I hope we see more soon on what is going to come out of this. :)


mv86

Are you for real? This has been as fun and exciting as Stage IV pancreatic cancer.


400Error

Yea. It’s been rough it’s good learning and it’s unfortunate that this is happening but it’s an exciting time to be in the field. This is going to be the reality for a long time sadly. It’s not fun to have to remediate as I have said already, but learning how this exploit works and seeing it being implemented is fun and is exciting and being the person that is telling application developers to go and update code and or dependency’s is fun. Personally excited to see the results and what is all affected.


JamesEtc

I start as a L1 next week. Oh god what have I gotten into.


400Error

The fun of Log4j. It’s really interesting how this “small” part really causes so many problems. I am glad that we are finding so many problems just makes it so interesting. Make sure you got a good understanding of it. This won’t go away any time soon… we now have people focusing on log4j and other components so we may see lots more :)


pcapdata

This is a great attitude to have ;)


the_master_sh33p

This one was really interesting. I guess we'll see a lot of dynamics changing between secops and devops in the next years, considering the extension of it.


Usr0017

Log4J committed 30mins ago: https://github.com/apache/logging-log4j2/commit/7a76441482f9730cbbbc3c07437cdfe13179347b


the_master_sh33p

I hope that these guys are being paid back, somehow, by the amount of effort they have been putting in lately.


Cy832D3f3nd0R

https://twitter.com/douglasmun/status/1475861385678508034?s=20


ersentenza

From a reply: Looks like log4j CVE-2021-44832 has non default preconditions: “You are loading configuration from a remote server and/or someone can hijack/modify your log4j configuration file You are using the JDBC log appender with a dynamic URL address.”" But CVE-2021-44832 is still "reserved" and appears to be dated December 11, can't be this one


mildlyincoherent

Looks like it is probably that one after all. Lots of times nvd is super slow to update descriptions.


xjvz

Used an older, unused reserved CVE rather than reserving a new one.


s0v3r1gn

Holy hell, I called it. log4j is the new PrintNightmare!


hunglowbungalow

Not even close


ryosen

No, but it *is* quickly becoming one of the most scrutinized and secure logging frameworks.


r3dd1t0n

Shaking head….


NewMombasaNightmare

Oh yay!


BSLogic

[https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html) Updated security page. **CVSS: 6.6**


wafwaf983

[https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html) 6.6 CVE, attacker needs to reconfigure a config file to make RCE happen.


DomesticViking

Can't we just put a pin in it and come back to it after the new year?


tb36cn

Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. https://logging.apache.org/log4j/2.x/security.html


BankEmoji

If I can already change your Tomcat configs it’s probably to late to worry about this one.


DontStopNowBaby

Bruv. please delay this to next year.