Jump to content

Good Morning Everlasting!


rookery.

Recommended Posts

33 minutes ago, Hugbert said:

Just run a search in windows explorer. Hopefully you won't find it at all. If you do figure out what application it is associated with, it should be in the same folder structure right. The one I found was in SQL Developer I had used for a class I took. I just deleted the entire application. If you find it in an application you need, check the vendor website for fixes.

 

 

Puppeh lifts one ear and looks confuzzled a whatis?

Link to comment
Share on other sites

19 hours ago, CienFuegos said:

what kinda bad things? 

 

Apache Log4j is an open-source logger component used in Java applications made by Apache, as well applications by other developers with embedded Apache components, like Minecraft: Java Edition.  When the component attempts to parse a specially-crafted string of input, arbitrary code execution becomes possible.

 

Meaning that a hacker can send it the right signal and make it run anything they want, at any level of permission they want.

 

Since the component is a logger, to send the signal all you have to do is get it to log an event with the correct string in place.  For instance, a login page with the Log4j component could be made to log a malformed username to recieve the malicious string.

 

If you want to learn more, this article on the Microsoft Blog and these two CVEs have a broader overview and more technical specifications on the vulnerability.

 

For the TL;DR: First do a search on your computer for Log4j-core.  It'll be a folder within a java application's directory (when I found it, it was in the .minecraft directory).  You should be able to see its version number in its name.  If it's one of the vulnerable versions, the best course of action is to find an update for the component - usually by updating the associated program.  So if you find it in .minecraft like I did, make sure you update Minecraft and then search again to see if it's still using the malfunctioning logger.

 

Versions 2.0.0 through 2.15.0 are affected by this vulnerability.  The versions you want to update to are:

 

Java 8: use Log4j version 2.16.0 or newer

Java 7: use Log4j version 2.12.2

 

Consider removing applications that use a vulnerable version of this component that can't be updated.  There are a few workarounds, but they're difficult to implement.  Since I don't play Minecraft anymore, I just uninstalled it and then deleted the entire .minecraft directory.

 

Edited by Nerva
Small correction, it's a java program component, not a full program in its own right
  • Like 1
Link to comment
Share on other sites

There is a small update on that, 2.16 was compromised already, you want 2.17. Minecraft was one of the first programs it was noticed in as players were sending the attack string through in game chat. Best bet if you don't need log4j-cre on your machine, remove it entirely. One security researcher even found a way to leverage the bug through use of websockets on a website. So just going to the website could compromise your machine. This one is bad, like a whole new level of bad.

  • Like 1
  • Thumbs Up 1
Link to comment
Share on other sites

15 hours ago, Hugbert said:

There is a small update on that, 2.16 was compromised already, you want 2.17. Minecraft was one of the first programs it was noticed in as players were sending the attack string through in game chat. Best bet if you don't need log4j-cre on your machine, remove it entirely.

 

Yeesh.  Yeah, that's pretty nuts.  But there's this bit that I'm curious about:

 

15 hours ago, Hugbert said:

One security researcher even found a way to leverage the bug through use of websockets on a website. So just going to the website could compromise your machine. This one is bad, like a whole new level of bad.

 

Like, I though the code vulnerability only allowed compromising the machine where the Log4j component is actually running.

 

Going to a website designed to exploit a bad Log4j logger would only wind up hacking the server the site is stored on, since it's the site's own logger component that's processing the malformed input. So unless the website can stick a Log4j component on your machine in an internet-facing position (admittedly, not entirely impossible given the existence of chromium plugins, malware, and social engineering) and then have a site write something to your log, I don't see how a visitor to a site can be hacked this way.

 

Am I misunderstanding something here?

 

Edited by Nerva
Allowing for reasonable doubt
Link to comment
Share on other sites

If log4j is installed on your local machine, say by the minecraft client, they can use a websocket to find and load it into memory and then execute the hack on your machine. Even if you are not actively running a webserver.

 

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/

 

This was a nasty development last week.

Link to comment
Share on other sites

1 hour ago, Hugbert said:

If log4j is installed on your local machine, say by the minecraft client, they can use a websocket to find and load it into memory and then execute the hack on your machine. Even if you are not actively running a webserver.

 

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/

 

This was a nasty development last week.

 

Oh, ew.  I don't use this term lightly, but that is outright fugly.  Crap, and that article was posted barely more than a week ago.  Yeah, I'mma just double-check for this component and destroy any instances I find.  I don't need any java-integrated software that much that I'm willing to risk it.

 

Edited by Nerva
Small addition
  • Thumbs Up 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...