|
Does anyone actually use Log4J ? I means its like 1999...stuff ? ... I thought there were other diagnotsic api and services... the so called article writers who get paid to write doom to pay their rent...say that "The Log4J Vulnerability Will Haunt the Internet for Years"...........Its like replace "The covid pandemic Will Haunt the world for Years'......damn...
Caveat Emptor.
"Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
|
|
|
|
|
When I heard about it a bit over a week ago, I scanned all my file systems. The only bits that came close were some historical backups of long-dead machines.
The first attempted exploit in my server logs was at 2021-12-11 00:28Z.
Since then the "villains" are using all sorts of cute encoding tricks to get jndi past dumb filters that look for it in plain text.
They account for currently around 7 or 8% of the noise traffic (i.e. by IP address, not hostname).
And yes, I think there is a considerable "beatup" component. Apart from Minecraft, I haven't heard of any significant exploits.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
|
|
|
|
|
|
Did a scan on my machine. IntelliJ Idea uses it.
|
|
|
|
|
Where I work (Windows shop) we only have two candidates, TeamCity and Jira, both were not affected.
|
|
|
|
|
Well plenty of 1999 stuff is still running in production in plenty of places.. why changes something that is working hey?!
AS400 and Cobol is much older and still widely in use!
modified 18-Dec-21 5:13am.
|
|
|
|
|
I have a Linux Jenkins build server and whilst the Jenkins core doesn't use log4j the groovy scripting language does and possibly some plugins.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
Another reason not to blindly jump on any "new" framework, just because it's "new".
BTW, my team is full of programming gods, and we don't do logging. At all.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
Programming gods wouldn't use a third-party logging library anyway; if needed, they'd roll their own.
|
|
|
|
|
I don't understand it...
A logging library should simply log messages, right?
How can a logging library become vulnerable? I think only if it does taking actions for specific messages. And that is not the job of a logging tool
[Edit]
Good explanation I found here: All About Log4j Log4Shell 0-Day Vulnerability - CVE-2021-44228[^]
modified 18-Dec-21 7:02am.
|
|
|
|
|
Any library can become vulnerable if it doesn't bounds check everything.
Back when I was a youth - and I don't recommend this - I rooted a server using their print daemon.
It *is* weird that it's happening with the JVM, given java code is managed and thus relatively hardened, but I don't know *anything* about the exploit so I can only speak about exploits in general.
Real programmers use butterflies
|
|
|
|
|
I agree. But a logging tool which becomes vulnerable by the data it should log is something idiotic, at least for me
|
|
|
|
|
Well, in their defense, because of the string, date and file manipulation there are plenty of potential opportunities to exploit a library like that.
Real programmers use butterflies
|
|
|
|
|
I heard it was an exploit in native code. A perfect example on why you should avoid native libraries.
"God doesn't play dice" - Albert Einstein
"God not only plays dice, He sometimes throws the dices where they cannot be seen" - Niels Bohr
|
|
|
|
|
Ah, that makes sense.
Real programmers use butterflies
|
|
|
|
|
They are poking and probing:
https://lous-stuff.com[^]
#4 the other day.
>64
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|
|
Apparently Ab Initio uses it.
|
|
|
|
|
There are tons of legacy systems built on old open source libraries. This is one of them. The problem I see coming is now that two of the major open source libraries have been found to be vulnerable (OpenSSL was the other one) cyber criminals and their government employed counterparts will start scanning older open source code for more vulnerabilities. Far too many entities never update their systems, especially when they're running open source systems that tend to be harder to update.
|
|
|
|
|
I just had to enable the Firmware TPM in the BIOS. I also enabled Hardware Virtualization while I was in there, so VirtualBox now works.
What do you get when you cross a joke with a rhetorical question?
The metaphorical solid rear-end expulsions have impacted the metaphorical motorized bladed rotating air movement mechanism.
Do questions with multiple question marks annoy you???
|
|
|
|
|
I did a bunch of that mess to make mine compliant but I'm still on 10.
Real programmers use butterflies
|
|
|
|
|
I don't have to worry about that because I use Linux.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
For those who didn't realize this but need to run Win11, for example, to test against:
I have systems that do not support TPM 2.0 so they refuse to install Windows 11, but Hyper-V implements its own version...so even though the host won't run Win11, I have Win11 running in VMs on those systems.
|
|
|
|
|
Just discovered you can set the color of the mouse pointer (hand, etc.) in Windows 10; also makes for a better "beam" in VS, Notepad, etc. I chose Magenta; you can customize any color. ("Cursor and Pointer" under Settings)
I never noticed this option before; it may be a function of the mouse. My wired one gave out and I paired a Bluetooth (MS "Designer") mouse I had around from a few years back (for some reason).
I find the color better for me than the default when hunting for it.
(While I prefer wired, this mouse seemed to get better with time ... or it was me)
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
|
|
|
|
|
I found it very useful to colour the mouse pointer as well as use the 'CTRL' show location option, last year before my cataract surgery trying to find the pointer on multiple monitors when everything had misty appearance was hard work.
|
|
|
|
|
It's white.
I'm partially colorblind. Deuter..thingy. Had to do with red, and all colors that females can derive from that.
HotS supports it as a setting. Windows doesn't. While, in the past, the accessibility was one of their key sales points.
Thank you, WPF.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|