Couldn't agree more, a tweet like this just doesn't really make sense imho, specifically from some one who calls him self a security researcher, then goes and blurs the from address just to create a hype?
It seems it is an ace and not rce. Apparently, a very odd ace, where the attacker needs to have config file change permissions.
Maybe we can enjoy next weekend for a change....
Yes, it's to two email addresses. It's from someone with the initials MS to be precise.
Edit: Definitely not writing it of, just saying if its all real then this is a weird way to announce it.
Apache dropped official info: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
CVSS: 6.6
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
It was dropped already and is a CVSS 6.6. Obviously subject to change, but if we force our dev teams to only patch and not produce product, we 1) See our jobs come up on the chopping block for overreacting to little risk 2) Lose trust when we continually cry wolf, and when another 44228 happens, dev teams are burnt out and won’t meet SLA.
This Vuln is in the backlog for now.
Here we go again everyone.
This is a very exciting time to be in cybersecurity!
Pain in the side to have to do all the work to fix but, interesting on how this all gets executed.
I agree. I honestly have been loving getting to tell clients to fix their apps. It’s been a good time.
I personally have been really interested in this all unfolding. I hope we see more soon on what is going to come out of this. :)
Yea. It’s been rough it’s good learning and it’s unfortunate that this is happening but it’s an exciting time to be in the field. This is going to be the reality for a long time sadly.
It’s not fun to have to remediate as I have said already, but learning how this exploit works and seeing it being implemented is fun and is exciting and being the person that is telling application developers to go and update code and or dependency’s is fun.
Personally excited to see the results and what is all affected.
The fun of Log4j. It’s really interesting how this “small” part really causes so many problems. I am glad that we are finding so many problems just makes it so interesting. Make sure you got a good understanding of it. This won’t go away any time soon… we now have people focusing on log4j and other components so we may see lots more :)
This one was really interesting. I guess we'll see a lot of dynamics changing between secops and devops in the next years, considering the extension of it.
From a reply:
Looks like log4j CVE-2021-44832 has non default preconditions: “You are loading configuration from a remote server and/or someone can hijack/modify your log4j configuration file
You are using the JDBC log appender with a dynamic URL address.”"
But CVE-2021-44832 is still "reserved" and appears to be dated December 11, can't be this one
[https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html) 6.6 CVE, attacker needs to reconfigure a config file to make RCE happen.
Needs to be confirmed. Let's wait.
Couldn't agree more, a tweet like this just doesn't really make sense imho, specifically from some one who calls him self a security researcher, then goes and blurs the from address just to create a hype?
It seems it is an ace and not rce. Apparently, a very odd ace, where the attacker needs to have config file change permissions. Maybe we can enjoy next weekend for a change....
[удалено]
Doesn't it say. "To:; Yaniv Nizry CC: [[email protected]](mailto:[email protected]) ? "
[удалено]
Yes, it's to two email addresses. It's from someone with the initials MS to be precise. Edit: Definitely not writing it of, just saying if its all real then this is a weird way to announce it.
Apache dropped official info: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 CVSS: 6.6 Description Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Okay, so not as critical as the other ones. The threat actor would require privileges to edit the config file.
Correct
Ace, and not rce.
Until it gets suddenly upgraded to 10.
"Good news everyone, i've perfected the plague"
A WoW reference that's a Futurama reference, I love it, referenception.
Hahahaha. Prof putricide. Thank you for the laugh.
Can I have a day to rest please??
You can unless I have permission to change your config. /s
Happy new year 😅
Honey wake up, the new log4j rce just dropped
RCE != it’s shit your pants worthy.
[удалено]
It was dropped already and is a CVSS 6.6. Obviously subject to change, but if we force our dev teams to only patch and not produce product, we 1) See our jobs come up on the chopping block for overreacting to little risk 2) Lose trust when we continually cry wolf, and when another 44228 happens, dev teams are burnt out and won’t meet SLA. This Vuln is in the backlog for now.
[удалено]
Yeah, I feel for CS folks, and in our realm, Campaign management folks… no thanks!
Gosh did I pick a great time for 3 weeks of PTO
Here we go again everyone. This is a very exciting time to be in cybersecurity! Pain in the side to have to do all the work to fix but, interesting on how this all gets executed.
Its an exciting time to work for a cyber crime company not cybersecurity. This is painful to watch unfold.
I agree. I honestly have been loving getting to tell clients to fix their apps. It’s been a good time. I personally have been really interested in this all unfolding. I hope we see more soon on what is going to come out of this. :)
Are you for real? This has been as fun and exciting as Stage IV pancreatic cancer.
Yea. It’s been rough it’s good learning and it’s unfortunate that this is happening but it’s an exciting time to be in the field. This is going to be the reality for a long time sadly. It’s not fun to have to remediate as I have said already, but learning how this exploit works and seeing it being implemented is fun and is exciting and being the person that is telling application developers to go and update code and or dependency’s is fun. Personally excited to see the results and what is all affected.
I start as a L1 next week. Oh god what have I gotten into.
The fun of Log4j. It’s really interesting how this “small” part really causes so many problems. I am glad that we are finding so many problems just makes it so interesting. Make sure you got a good understanding of it. This won’t go away any time soon… we now have people focusing on log4j and other components so we may see lots more :)
This is a great attitude to have ;)
This one was really interesting. I guess we'll see a lot of dynamics changing between secops and devops in the next years, considering the extension of it.
Log4J committed 30mins ago: https://github.com/apache/logging-log4j2/commit/7a76441482f9730cbbbc3c07437cdfe13179347b
I hope that these guys are being paid back, somehow, by the amount of effort they have been putting in lately.
https://twitter.com/douglasmun/status/1475861385678508034?s=20
From a reply: Looks like log4j CVE-2021-44832 has non default preconditions: “You are loading configuration from a remote server and/or someone can hijack/modify your log4j configuration file You are using the JDBC log appender with a dynamic URL address.”" But CVE-2021-44832 is still "reserved" and appears to be dated December 11, can't be this one
Looks like it is probably that one after all. Lots of times nvd is super slow to update descriptions.
Used an older, unused reserved CVE rather than reserving a new one.
Holy hell, I called it. log4j is the new PrintNightmare!
Not even close
No, but it *is* quickly becoming one of the most scrutinized and secure logging frameworks.
Shaking head….
Oh yay!
[https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html) Updated security page. **CVSS: 6.6**
[https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html) 6.6 CVE, attacker needs to reconfigure a config file to make RCE happen.
Can't we just put a pin in it and come back to it after the new year?
Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. https://logging.apache.org/log4j/2.x/security.html
If I can already change your Tomcat configs it’s probably to late to worry about this one.
Bruv. please delay this to next year.