The log4j vulnerability

MrJanuary

New Member
Joined
Dec 28, 2021
Messages
6
Reaction score
1
Credits
60
Hello, I was wondering if any of you have heard/discussed the log4j vulnerability? Perhaps you could point me to that thread if you have seen it or were involved in it? From what I understand there are at least 500 applications which are effected by this vulnerability. Some of them are Atlassian, IBM, cisco, Vsphere, Red hat, Microsoft, Citrix and so on. Apparently, the vulnerability was originally found being exploited in the game Minecraft but was widely released to the public before any patching could take place. It uses a flaw in the Apache web service that sends logs using java. This is the easiest way to do logging and any 3rd party application that uses a website for interface most likely uses Apache (even routers and sans).

I am wondering how many (if any) of you are already aware and have taken steps to safeguard yourself agaist this vulnerability. If so, please, would you be so kind as to list the approach/steps you took here in this thread? Or, as I said before, if you are aware that this issue has already been addressed in another thread would you please point me at that thread?
 


Hello, I was wondering if any of you have heard/discussed the log4j vulnerability? Perhaps you could point me to that thread if you have seen it or were involved in it? From what I understand there are at least 500 applications which are effected by this vulnerability. Some of them are Atlassian, IBM, cisco, Vsphere, Red hat, Microsoft, Citrix and so on. Apparently, the vulnerability was originally found being exploited in the game Minecraft but was widely released to the public before any patching could take place. It uses a flaw in the Apache web service that sends logs using java. This is the easiest way to do logging and any 3rd party application that uses a website for interface most likely uses Apache (even routers and sans).

I am wondering how many (if any) of you are already aware and have taken steps to safeguard yourself agaist this vulnerability. If so, please, would you be so kind as to list the approach/steps you took here in this thread? Or, as I said before, if you are aware that this issue has already been addressed in another thread would you please point me at that thread?
log4j still hasn't been patched? as I remember its been more than 3 weeks since it was found.
Only recommendation is update your system and you will be fine. Also don't use services that have not updated their systems yet with security updates.
 
After a quick search, I could find this.
 
old news, but log4j 2.17 is out for most distro's.

But this is really pretty big. This affects a lot of stuff, everything uses log4j.

Elasticsearch, Logstash, Nifi, Tomcat, some modules in apache/httpd.
Most vendors have already released new versions. But sometimes its a pain to upgrade.
 
i don't understand why we keep using JAVA when it's all its time it's been here. It has had so many Security Vulnerabilities, and we still use it to keep our personal information safe. i don't trust JAVA and wish we could stop using it.
 
i don't understand why we keep using JAVA when it's all its time it's been here. It has had so many Security Vulnerabilities, and we still use it to keep our personal information safe. i don't trust JAVA and wish we could stop using it.

True, but people keep using Windows.. :)

I think the main thing with Java is code portability. The same code runs on Windows, Unix, Linux,,Mac whatever.
I don't think you can say that about any other language.
 
HTML, CSS, PHP :-b i know its not fully the same but its still code language :-b

But yes.
Also, one of the reasons, even if it's a small one, why i stop using win. There are many reasons why i quit, and the biggest one is i feel like I've been ass fucked by Microsoft, and then they make me pay for it.
 
Java should not be confused with JavaScript. They're two very different animals. Not a lot of Java is used directly, as a front end, all that often these days. ('Member Java Applets?)

JavaScript, on the other hand, is used on what must be the overwhelming majority of public sites.
 
I found the following repository which seems to be a compilation of programs which use log4j. Some of them have working hotfix's others do not. I have not actually followed all of these links and therefore can not verify their authenticity.
 

Members online


Top