|
slf4j-log4j12 IS vulnerable. This writes your slf4j logging messages out using log4j. it has a log4j dependency because you are using log4j for the actual log writing which is the vulnerable part. log4j-over-slf4j is NOT vulnerable. This is a shim that exposes a log4j api façade that translates log4j api calls to slf4j calls. It DOES NOT have any real log4j dependencies, so if you are seeing real log4j dependencies you are probably vulnerable, either because you arent using the shim and are using slf4j-log4j12, or because you are using the shim but then logging out via log4j anyways (idk why you would do this). if you are actually seeing a real log4j dependency in your project then you probably arent using the bridge/shim and need to look at whats going on there a little more closely.
|
#
?
Dec 14, 2021 18:59
|
|
|
|
| # ? Apr 25, 2024 07:01 |
|
|
Shaggar posted:altho to be clear im talking about the shim that translates the log4j api to slf4j api and NOT the log4j appender for slf4j that takes the slf4j output and writes it out via log4j. nah we only use the first one (i double-checked), it's just flagging on log4j-api which is needed by the log4j->slf4j bridge so it can impersonate log4j properly. tool's just being overly broad, meh e: hm i swear log4j-api (and only api) was needed for this to work but maybe not e2: okay so whatever's written against log4j needs log4j-api (and only that), but the log4j->slf4j bridge itself doesn't need it 
Shame Boy fucked around with this message at 19:06 on Dec 14, 2021 |
|
#
?
Dec 14, 2021 18:59
|
|
|
oh wait, im looking at log4j 1.2 over slf4j. disregard lmao
|
|
#
?
Dec 14, 2021 19:08
|
|
|
ok yeah that makes more sense. the log4j-api 2 itself is probably not vulnerable so its fine. lmao i'm just now realizing i dont have log4j 2 anywhere since i moved to slf4j way before it became common.
|
|
#
?
Dec 14, 2021 19:09
|
|
|
just found this thread, my week has been extra fun so far because, in addition to immediate mitigation/remediation of the actually vulnerable versions, our infosec org required yesterday that all software using log4j 1.x also be removed by eod today. they only backed down on that requirement earlier today.
|
|
#
?
Dec 14, 2021 19:11
|
|
|
this is not an “invalid unicode character”, and converting it to I is correct behavior the idea that this could ever have been fixed by filtering out bad patterns is such a typical lovely enterprise programmer mindset that i bet this dude works for a major international financial institution
|
|
#
?
Dec 14, 2021 19:12
|
|
|
carry on then posted:just found this thread, my week has been extra fun so far because, in addition to immediate mitigation/remediation of the actually vulnerable versions, our infosec org required yesterday that all software using log4j 1.x also be removed by eod today. does boris johnson moonlight as your ciso
|
|
#
?
Dec 14, 2021 19:12
|
|
|
cinci zoo sniper posted:does boris johnson moonlight as your ciso
|
|
#
?
Dec 14, 2021 19:31
|
|
|
Chris Knight posted:he keeps spawning child processes, i'd assume so orphaned child processes if some stories I've been told about a few of his kids are true. Fucker doesn't pay child support.
|
|
#
?
Dec 14, 2021 19:38
|
|
|
 code:Sarah Problem fucked around with this message at 22:04 on Dec 14, 2021 |
|
#
?
Dec 14, 2021 22:01
|
|
|
Sarah Problem posted:
Nnոռ𝐧𝑛𝒏𝓃𝓷𝔫𝕟𝖓𝗇𝗻𝘯𝙣𝚗ice
|
|
#
?
Dec 14, 2021 22:18
|
|
|
today I learned about homoglyphs
|
|
#
?
Dec 14, 2021 22:22
|
|
|
Sarah Problem posted:
ư̶͙͕̺͓̈́̅͐͒̈́̾̏͝ͅn̴̠͎̮̥̼͙͎̩̼̟̒̌͛̾̎̈͂͆͝i̸̡̡͓̖̱̊̏͋͆́̋͝ͅc̸͍͉͎̃͆̾̈́ͅo̷̜̣̗͈̝͕̳̭͊̀͜͜͝d̵̢̧̢͖̭̖̖͛͜͜ͅè̴̡̡̨͇̙̜͆̊̏̓̋ ̷̣̪̏̈̑͊̿̍̇͗͛̚͜í̸̠̤́̈́͝ͅs̶̹̈͗͋̾͂̃̽̚͜ ̴̛̠̖̦̗̒̀ͅͅf̴̧̨̥̣̘̦̠̀̾̃̔̓̊̚̕a̷̦̮̭̲̞̼̝̲͌̽̐̆̀̍͘ͅṋ̵͔͎̬̘̗̃t̷̨̺̼͙͓͚̮͎̔́͑̕̕ä̵͙̲̮̖̣̯̮͖́͠͠ş̴̛͈̩͈̻͇̝̏̾͂̄̇͝ͅt̴̹̞͛̓̌̒̽̑̏͐͝ï̴̧͙̯͉̬͚̰̤͙͒̇͠c̷͇̩̈́̐͐̕
|
|
#
?
Dec 14, 2021 22:23
|
|
|
Welp the first patch didnt take. HIT IT AGAIN BOYS.
|
|
#
?
Dec 14, 2021 23:57
|
|
|
*firing a ghostbusters proton pack at the server rn*
|
|
#
?
Dec 15, 2021 00:25
|
|
|
Jim Silly-Balls posted:*firing a ghostbusters proton pack at the server rn* Please fire it all the servers, tia.
|
|
#
?
Dec 15, 2021 01:11
|
|
|
ZeusCannon posted:Welp the first patch didnt take. HIT IT AGAIN BOYS. Yeah, this is fun https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 quote:It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.
|
|
#
?
Dec 15, 2021 01:18
|
|
|
it’s Java. buffer overruns can’t happen. ergo, it is secure.
|
|
#
?
Dec 15, 2021 01:20
|
|
|
Oh dear, why has this binary in my mactex installation got the string "org.apache.logging.log4j" in it. Thanks java, it's 2am, now I have to work out what the gently caress that is.
|
|
#
?
Dec 15, 2021 03:25
|
|
|
log forgé
|
|
#
?
Dec 15, 2021 03:51
|
|
|
When at first you don't succeed
|
|
#
?
Dec 15, 2021 04:25
|
|
|
all that work… I have to do it all again. loving hell
|
|
#
?
Dec 15, 2021 05:05
|
|
|
Sarah Problem posted:all that work… I have to do it all again. loving hell just think of it as speedrunning
|
|
#
?
Dec 15, 2021 09:09
|
|
|
Lain Iwakura posted:a lot of folks have the impression that regex can be used for everything
|
|
#
?
Dec 15, 2021 09:24
|
|
|
BlankSystemDaemon posted:if that was true, regex could be used to fix mistakes made in multiplayer vi
|
|
#
?
Dec 15, 2021 14:11
|
|
|
lmao my boss did his postgrad with the guy that wrote the original log4j. I just looked him up and he left the project 4 years ago but has updated his Twitter profile to say "2.x is nothing to do with me!"
|
|
#
?
Dec 15, 2021 14:36
|
|
|
So he's responsible for CVE-2019-17571?
|
|
#
?
Dec 15, 2021 15:24
|
|
|
mystes posted:What? No, nevermind, I don't want to know
|
|
#
?
Dec 15, 2021 16:03
|
|
|
cinci zoo sniper posted:just think of it as speedrunning be sure to half-press on deploy to maintain full core utilization
|
|
#
?
Dec 15, 2021 16:18
|
|
|
jar wars: return of the jndi
|
|
#
?
Dec 15, 2021 17:00
|
|
|
Penisface posted:jar wars: return of the jndi
|
|
#
?
Dec 15, 2021 17:07
|
|
|
https://www.npr.org/2021/12/14/1064247651/kronos-hack-paychecks Over/under this was log4j
|
|
#
?
Dec 15, 2021 17:23
|
|
|
Please continue to patch our systems also we can't pay you till you do
|
|
#
?
Dec 15, 2021 17:24
|
|
|
No we will not increase your budget
|
|
#
?
Dec 15, 2021 17:33
|
|
|
the lack of payments will continue until security improves
|
|
#
?
Dec 15, 2021 17:40
|
|
|
in the midst of the log4j stuff, my ciso decided to schedule a pen test and not tell anyone on the team so now I have that to deal with too.
|
|
#
?
Dec 15, 2021 17:42
|
|
|
Mr. Crow posted:https://www.npr.org/2021/12/14/1064247651/kronos-hack-paychecks quote:"It is likely the attacker had been in Kronos for weeks launching the attack before Log4J was reported. That doesn't mean the two aren't connected. But the best evidence right now says otherwise," he told NPR. This seems like the worst of both worlds tbh
|
|
#
?
Dec 15, 2021 17:56
|
|
|
Mustache Ride posted:So he's responsible for CVE-2019-17571? lol https://twitter.com/AndyVic14/status/1469938114617647114?s=20
|
|
#
?
Dec 15, 2021 18:22
|
|
|
today I also learned that our support team (who are the ones that manage service accounts etc. Under "segregation of duties") have been storing the credentials in confluence so they didn't have to go ask the password vault owners for access every time 
|
|
#
?
Dec 15, 2021 18:23
|
|
|
|
| # ? Apr 25, 2024 07:01 |
|
|
ive moved as many services as possible to managed service accounts cause password management sucks
|
|
#
?
Dec 15, 2021 18:25
|
|