Log4J exploit - Exploit found in popular Java library

Gangster Talk · Dec 19, 2021

Feetus said:
2. If this is as bad as techno-journos are implying, where the fuck is the mainstream media coverage? If I were a journo, the front page would be filled with what this exploit is, why it took so long for it to be noticed, and how this will have negative ramifications for years to come. The fearmongering would bring in mountains of revenue. Are regular journos just too braindead to understand the severity, or am I the braindead one for overreacting?

Probably just because people are dumb. Viruses will make front pages because people understand them, "major security vulnerability in a widely used logging library" isn't a catchy headline and it's hard to quickly explain to a tech illiterate why it's such a big deal. If they had come up with a scary sounding nickname like "Heartbleed" it might get more attention.

419 · Dec 19, 2021

Gangster Talk said:
Viruses will make front pages because people understand them

The average person doesn't understand what a "virus" is for shit and likely has no idea what it means for a program to "self-replicate". Has your mum never reacted to Windows just generally being slow due to running too much randomly-installed bullshit at once with "SON HELP ME I HAVE VIRUS FIX MY LAPTOP" first thing? They all use that word because it's the first most popular term they've heard for anyone else for "something that does damage to your computer" without the slightest bit of nuance on what that something is and what the damage actually looks like.

Gangster Talk said:
If they had come up with a scary sounding nickname like "Heartbleed" it might get more attention.

They have come up with one: Log4Shell.

moocow · Dec 20, 2021

Feetus said:
I didn't hear about this until the IT team at my job lost their minds yesterday, begging everyone to run a script ASAP to update Log4j. I've looked into it and it looks bad, to say the least. I don't have the technological literacy to answer these questions, so if anyone here knows the answer, please, lend a hand:

1. What should I, someone who runs no java-based servers and sells no java-based software, be doing right now? Should I be purging every program that runs java from my PC? Is there anything I can do to avoid being compromised, or is that out of my control until there's an unexploited Log4j update? None of the techno-journos are putting solutions in terms that the technologically illiterate can understand, it seems like they're all just flexing their cybersecurity terminology instead.

2. If this is as bad as techno-journos are implying, where the fuck is the mainstream media coverage? If I were a journo, the front page would be filled with what this exploit is, why it took so long for it to be noticed, and how this will have negative ramifications for years to come. The fearmongering would bring in mountains of revenue. Are regular journos just too braindead to understand the severity, or am I the braindead one for overreacting?

3. Isn't this kind of damning for the security of open source that people gush about so much? This has been in the wild since 2013, and the vulnerability was only just reported now. It seems to me that a bad actor trying to distribute malware has way more incentive to look for vulnerabilities in open source software and keep quiet about it, while a good faith programmer gets no money from combing through open source software and can easily assume that someone else will find an issue. Doesn't common sense and the tragedy of commons suggest that open source software is more vulnerable than paid software developed by a company that will lose money if they get compromised?

1. Update whatever software you run and cross your fingers. Make sure you're following regular security practices (don't expose anything on your network to the internet that doesn't need to be exposed -- inbound and outbound; keep things up-to-date; don't run stuff you don't need to run; etc.).

2. Journalists are incompetent at best and actively malicious at worst. Under no circumstances are they trustworthy and they can always be expected to a) cover irrelevant things enthusiastically (and inaccurately), b) almost always ignore genuinely important things and c) get every detail breathtakingly wrong when they do decide to cover something important. Under no circumstances should any word produced by a journalist be relied upon to be accurate, truthful or relevant. This is true for all industries.

3. Why would it be? Bugs exist in all software. Do you actually believe closed-source software gets regularly "scrubbed" for vulnerabilities? Proprietary software only ever gets fixed when someone reports a bug, and even then bugs only tend to get fixed when they're particularly bad (like this one). 0-days don't last long in open source, while it can take weeks or even months for really bad vulnerabilities to be patched in closed-source stuff.

Jump · Dec 20, 2021

Turning in to a real HAPPENING. I know 2 different people who work for 2 different organizations who need Kronos to get paid.

Ransomware Attack on Major Payroll System Kronos May Take 'Weeks' to Repair - Slashdot

Earlier this week long-time Slashdot reader DJAdapt wrote: According to a post on the Kronos Community Page, a cyber security incident due to a ransomware attack is affecting UKG Workforce Central, UKGTeleStaff, Healthcare Extensions, and Banking Scheduling. Although they are currently working...

it.slashdot.org

Earlier this week long-time Slashdot reader DJAdapt wrote:According to a post on the Kronos Community Page, a cyber security incident due to a ransomware attack is affecting UKG Workforce Central, UKGTeleStaff, Healthcare Extensions, and Banking Scheduling. Although they are currently working with cyber security experts on the issue, they say that it may take several weeks to restore full system availability.
CNN reported:Ultimate Kronos Group, one of the largest human resources companies, disclosed a crippling ransomware attack on Monday [December 13th], impacting payroll systems for a number of workers. After noticing "unusual activity" on Saturday [December 11th], Kronos noted that its systems were down and could remain that way for several weeks.

Kronos has a long list of notable customers across the public and private sector, including the city of Cleveland, New York's Metropolitan Transportation Authority (MTA), Tesla and MGM Resorts International. It also works with many hospitals across the country. Some employers find themselves having to make contingency plans in order to pay workers, such as shifting to paper checks. And some impacted employees have been unable to access payroll systems...

In addition to the potential payroll issues, there's also data privacy concerns. The city of Cleveland said in a statement Monday that Kronos alerted it that sensitive information may have been compromised in the attack. Employee names, addresses and the last four digits of social security numbers may have been stolen by the hackers inside Kronos's network.
Other Kronos customers include Whole Foods, GameStop and Honda, as well as state and local government agencies like the state of West Virginia, reports NBC News:John Riggi, the senior advisor for cybersecurity at the American Hospital Association, an industry group, said that he had spoken with multiple hospitals that have had to create contingency plans for getting employees paid, managing their schedules and tracking their hours. "Quite frankly, this could not have happened at a worse time. We've had a surge in Covid patients, flu patients," Riggi said. "It's a distraction to hospital administrators at a time when they don't need any additional burden or diversion of resources."
"Though it has not been confirmed, there is speculation that the notorious Log4Shell vulnerability was involved," writes CPO magazine, "given that the Kronos cloud services are known to be built on Java to a great degree...."

"Microsoft's security team has reported that ransomware attacks are already unfolding after these breaches in at least several cases."

timewave0 · Dec 21, 2021

I know a very high level infosec guy who told me this is the most serious vulnerability he’s seen in his career. I’m not smart enough to know what any of this shit actually means but I guess it’s pretty fucking bad eh?

Aidan · Dec 21, 2021

timewave0 said:
I know a very high level infosec guy who told me this is the most serious vulnerability he’s seen in his career. I’m not smart enough to know what any of this shit actually means but I guess it’s pretty fucking bad eh?

It's something used by virtually everyone that needs to be fixed yesterday compounded by the reality that many (most?) companies/organizations are afraid of significant updates because it will "break things" and cause downtime. Now throw into the mix that even the most basic of script-kiddies can abuse this.
The effects will be felt for at least a decade as places using outdated log4j, among other things, keep getting burned.

Tom Myers · Dec 21, 2021

Aidan said:
It's something used by virtually everyone that needs to be fixed yesterday compounded by the reality that many (most?) companies/organizations are afraid of significant updates because it will "break things" and cause downtime. Now throw into the mix that even the most basic of script-kiddies can abuse this.
The effects will be felt for at least a decade as places using outdated log4j, among other things, keep getting burned.

Log4j updates don't "might break things" they break things.

moocow · Dec 21, 2021

Aidan said:
It's something used by virtually everyone that needs to be fixed yesterday compounded by the reality that many (most?) companies/organizations are afraid of significant updates because it will "break things" and cause downtime. Now throw into the mix that even the most basic of script-kiddies can abuse this.
The effects will be felt for at least a decade as places using outdated log4j, among other things, keep getting burned.

Not to mention we're in the middle of Christmas season and plenty of people are on vacation now until the end of the year, so there aren't as many staffers around to work on fixing this (either fixing vulnerabilities or applying the patches to affected servers and services). Even the classic "all hands on deck" call to arms will still see plenty of companies short-staffed right now.

Tom Myers said:
Log4j updates don't "might break things" they break things.

lol that's most Java-related software tbh. Java application/service deployments are all-day (or even all-week) affairs for a reason.

TrannieRemover · Dec 21, 2021

All it takes is a bunch of 6 year old skids to fuck everything up. Such as finding new exploits from skid forums to crash minecraft servers

Agent Abe Caprine · Dec 21, 2021

It's called Java because you need gallons of java when working with it.

Aidan · Dec 21, 2021

Tom Myers said:
Log4j updates don't "might break things" they break things.

Part 'n parcel of relying on Java for everything. Doing nothing will be part 'n parcel of getting pwned.

Shoggoth · Dec 23, 2021

I feel terrible apologizing for Java here but this isn't Java's fault, as much as it's a problem with the model of corpos parasitising open source and expecting anything in return.
Java isn't the only platform which has mechanism for dynamic code loading. Every scripting language and every runtime which you can pwn to shell out to bash is just as vulnerable.
But why the fuck do companies think they can just pull in a dependency maintained by three guys in their free time with their eyes closed is fucking beyond me.

Open source is a critical part of the economy but it is an ecosystem still without a viable economic model.

Open source development feels like devs giving to devs, and that is the popular narrative. The reality is: most companies are taking economic advantage of the generous spirit of open source developers. That needs to stop. The value of programs, and thus of programming and people who pursue it as a profession, is eroding. Little of the vast wealth derived from open source flows intentionally and systematically to its creators. This is neither fair nor sustainable.

Open source licenses effectively preclude developers from charging for their work. Nevertheless, companies should pay for it.

Sponsoring Open Source Developers

cognitect.com

Grotesque Bushes · Dec 23, 2021

Shoggoth said:
But why the fuck do companies think they can just pull in a dependency maintained by three guys in their free time with their eyes closed is fucking beyond me.

There are usually checks and balances in place to prevent critical infrastructure being built with potentially dangerous (for a very broad definition of dangerous) components, but while it's relatively easy to evaluate if Asssoft 8.8 is safe or not, the matter gets trickier the deeper you go. What if an employee cobbled together three scripts for his two mates and now you have 700 people using them 5 years later? Or a dev featured a single dependency which has dependencies running three levels deep with an issue there? Those are I reckon true vectors via which such vulnerabilities are introduced, someone builds a low scale proof of concept using time saving measures, it gets adopted and later on business doesn't want to spend the time and money to refactor the program, or isn't even aware of the issue.

Shoggoth · Dec 23, 2021

Grotesque Bushes said:
There are usually checks and balances in place to prevent critical infrastructure being built with potentially dangerous (for a very broad definition of dangerous) components, but while it's relatively easy to evaluate if Asssoft 8.8 is safe or not, the matter gets trickier the deeper you go. What if an employee cobbled together three scripts for his two mates and now you have 700 people using them 5 years later? Or a dev featured a single dependency which has dependencies running three levels deep with an issue there? Those are I reckon true vectors via which such vulnerabilities are introduced, someone builds a low scale proof of concept using time saving measures, it gets adopted and later on business doesn't want to spend the time and money to refactor the program, or isn't even aware of the issue.

Painfully true.
Management and devs need to understand there's no such thing as "temporary". A temporary proof of concept or hack will be running in production 5 years later. They need to understand that after a proof of concept you need to throw that code away and rewrite from scratch.
That's before you fucking go over the dependencies and do some minimal due diligence, with preference to less deps or light weight solutions, like logback vs. log4j.
I'd usually disqualify a library if it pulls in any logging framework. At most, it is acceptable to pull in a facade like slf4j, but anything else is bad design, and dependency trees should be reviewed.
Still better then the mess which was npm or how you couldn't specify dependency versions in golang up to 1.13(?)

Tom Myers · Dec 23, 2021

SonarQube all the Java apps then fix the vulnerabilities.

Log4J exploit - Exploit found in popular Java library

Gangster Talk

419

Niggas is houngry

moocow

Moo.

Jump

Onion Enjoyer

Ransomware Attack on Major Payroll System Kronos May Take 'Weeks' to Repair - Slashdot

timewave0

Omnia sunt hominum pendentia filo

Aidan

Tom Myers

moocow

Moo.

TrannieRemover

Agent Abe Caprine

Stole Hitler's Mercedes Bens.

Aidan

Shoggoth

Sponsoring Open Source Developers

Grotesque Bushes

Null yeeted my spaghetti dog avatar

Shoggoth

Tom Myers