|
be well
|
#
?
Dec 14, 2021 02:11
|
|
|
|
| # ? Apr 26, 2024 03:39 |
|
|
FacelessVoid posted:lol i'm pulling all-nighter to get this log4j fix into production before the holiday freeze. don't worry, if you miss it you can just use log4j to push an update to production!
|
|
#
?
Dec 14, 2021 02:12
|
|
|
hobbesmaster posted:don't worry, if you miss it you can just use log4j to push an update to production! yeah just use one of those self-patching rce implementations and call it a night lol
|
|
#
?
Dec 14, 2021 02:15
|
|
|
hobbesmaster posted:don't worry, if you miss it you can just use log4j to push an update to production! 
|
|
#
?
Dec 14, 2021 03:13
|
|
|
Subjunctive posted:wait, nis? does that mean you can stick a class file in your GECOS field and win the prize? I think NIS is a simple read-only mapping to RFC2307 semantics, which can't story any of the fancy objects edit: oh, there's an RFC explaining how to store a Java object in an LDAP record: https://www.ietf.org/rfc/rfc2713.txt. the '90s were a wild and crazy time. pseudorandom name fucked around with this message at 03:33 on Dec 14, 2021 |
|
#
?
Dec 14, 2021 03:29
|
|
|
FacelessVoid posted:lol i'm pulling all-nighter to get this log4j fix into production before the holiday freeze. gotta push out that yule log4j before the 25th
|
|
#
?
Dec 14, 2021 03:43
|
|
|
pseudorandom name posted:I think NIS is a simple read-only mapping to RFC2307 semantics, which can't story any of the fancy objects gonna go ponder some inter-ORBs
|
|
#
?
Dec 14, 2021 04:01
|
|
|
pseudorandom name posted:I think NIS is a simple read-only mapping to RFC2307 semantics, which can't story any of the fancy objects lmfao thank you for this
|
|
#
?
Dec 14, 2021 04:20
|
|
|
I'm glad the place I work has a general "no java" policy. A few of our dumbass systems/infrastructure applications etc use java, of course, but none of our prod stuff does.
|
|
#
?
Dec 14, 2021 05:21
|
|
|
good thing tomcat doesn't use log4j by default, otherwise I'd have to fix some poo poo, i just had to upgrade some unifi controllers that are practically unreachable
|
|
#
?
Dec 14, 2021 05:34
|
|
|
They shoot horses dont they?
|
|
#
?
Dec 14, 2021 06:06
|
|
|
comedy logstash is affected by this
|
|
#
?
Dec 14, 2021 06:35
|
|
|
Lain Iwakura posted:comedy logstash is affected by this lol I wonder if our sales guys still use kibana etc for their analytics
|
|
#
?
Dec 14, 2021 06:41
|
|
|
there are a few threat platforms that use ELK in some fashion and are affected ask me how i know
|
|
#
?
Dec 14, 2021 06:44
|
|
|
i am sure this appeared in here already but https://twitter.com/TheASF/status/1400875147163279374
|
|
#
?
Dec 14, 2021 06:53
|
|
|
Lain Iwakura posted:there are a few threat platforms that use ELK in some fashion and are affected because you're my coworker who spent the entire day complaining to me about how the ELK stack is affected 
|
|
#
?
Dec 14, 2021 07:07
|
|
|
pseudorandom name posted:I think NIS is a simple read-only mapping to RFC2307 semantics, which can't story any of the fancy objects this rules. why does anybody use json when we could be using pojo-over-LDAP
|
|
#
?
Dec 14, 2021 07:12
|
|
|
just had a handover meeting, guy who's fleeing for greener pastures just described his method for getting rid of "that annoying java popup". it involves disabling "all that sandbox crap". fml.
|
|
#
?
Dec 14, 2021 08:14
|
|
|
ZeusCannon posted:People keep giving me looks when i say assume you are vulnerable, act like you are about to be popped. Patch now. Yep. That's basically what the relevant Dutch government department is saying. Speaking of, they made a nice github repo with a list of known vulnerable apps and a lot of information about testing for and mitigating vulns. It is actively being updated. May it help you. https://github.com/NCSC-NL/log4shell
|
|
#
?
Dec 14, 2021 08:32
|
|
|
Excuse me what the gently caress https://twitter.com/ncweaver/status/1470453024870912000
|
|
#
?
Dec 14, 2021 08:45
|
|
|
Carbon dioxide posted:Excuse me what the gently caress ah, someone posted that in another thread, and we were wondering why (the base why is because url's compare equal based on actual host rather than hostname, but why it does that). luckily the twitter thread has a very likely answer, checking actual origin host as part of ye olde security model for applets
|
|
#
?
Dec 14, 2021 08:51
|
|
|
animist posted:this rules. why does anybody use json when we could be using pojo-over-LDAP you mock but there was a bunch of CVEs 5-10 years ago when people discovered that Ruby and Python etc. supported arbitrary object construction in their JSON/YAML/XML serialization APIs
|
|
#
?
Dec 14, 2021 09:29
|
|
|
pseudorandom name posted:edit: oh, there's an RFC explaining how to store a Java object in an LDAP record: https://www.ietf.org/rfc/rfc2713.txt. the '90s were a wild and crazy time.
|
|
#
?
Dec 14, 2021 09:47
|
|
|
pseudorandom name posted:I think NIS is a simple read-only mapping to RFC2307 semantics, which can't story any of the fancy objects i mean, just the data of an object, i don't think this is any worse than json, and arguably better since there is no eval() solution to tempt anyone
|
|
#
?
Dec 14, 2021 09:56
|
|
|
Lain Iwakura posted:i am sure this appeared in here already but quote it a million times i solelmeluely vow i will root the rover
|
|
#
?
Dec 14, 2021 09:58
|
|
|
no power on earth can stop me ... but what about beyond?
|
|
#
?
Dec 14, 2021 09:59
|
|
|
Carbon dioxide posted:Excuse me what the gently caress this is from using j.n.URL for origin checks, DNS rebinding attacks and all that fun notwithstanding. people should be using j.n.URI for most things anyway, but I bet if we take a nice drink of water and open up GitHub code search etc etc e: beaten!
|
|
#
?
Dec 14, 2021 10:27
|
|
|
how can a helicopter be ‘powered’ by a logging library
|
|
#
?
Dec 14, 2021 11:34
|
|
|
https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html another chrome CVE, already in the wild
|
|
#
?
Dec 14, 2021 11:37
|
|
|
Gentle Autist posted:how can a helicopter be ‘powered’ by a logging library have you tried expelling logs downwards
|
|
#
?
Dec 14, 2021 11:37
|
|
|
Lain Iwakura posted:gonna plead ignorance here but can you do this nested Or this: https://twitter.com/Laughing_Mantis/status/1470526083271303172
|
|
#
?
Dec 14, 2021 13:14
|
|
|
lmao why is Java this dumb
|
|
#
?
Dec 14, 2021 13:36
|
|
|
java more like jawohl
|
|
#
?
Dec 14, 2021 13:50
|
|
|
re: paypal mystery - today i got phone 2fa code as i opened the payment form, but before entering my password and pressing “log in”
|
|
#
?
Dec 14, 2021 13:54
|
|
|
Gentle Autist posted:how can a helicopter be ‘powered’ by a logging library lol it’s pretty obvious, there is a Bitcoin miner installed via log4j RCE that generates enough heat to produce lift.
|
|
#
?
Dec 14, 2021 14:18
|
|
|
rafikki posted:I saw some write ups saying yes. *jndi:znuts*
|
|
#
?
Dec 14, 2021 14:36
|
|
|
Jim Silly-Balls posted:lol it’s pretty obvious, there is a Bitcoin miner installed via log4j RCE that generates enough heat to produce lift. i mean spacecraft and rovers do need a bunch of heaters to keep their systems (especially batteries) at temperatures they actually work at, and it's not like the deep space network has anything better to do than transmit the entire bitcoin blockchain to mars
|
|
#
?
Dec 14, 2021 14:50
|
|
|
I'm a goddamn wastewater treatment operator not a computer toucher and yet my entire morning has been about trying to get an internal service patched to fix log4j after the vendor provided an update
|
|
#
?
Dec 14, 2021 15:14
|
|
|
shame on an IGA posted:I'm a goddamn wastewater treatment operator not a computer toucher and yet my entire morning has been about trying to get an internal service patched to fix log4j after the vendor provided an update have you tried flushing it off and on again
|
|
#
?
Dec 14, 2021 15:15
|
|
|
|
| # ? Apr 26, 2024 03:39 |
|
|
the thousand gallon tank of sulfuric acid is a more and more tempting solution honestly
|
|
#
?
Dec 14, 2021 15:18
|
|