XMPP Service Operators - 2021-12-11

  1. moparisthebest

    https://github.com/YfryTchsGD/Log4jAttackSurface excellent

  2. rozzin

    moparisthebest: what...

  3. moparisthebest

    rozzin: what?

  4. TheCoffeMaker

    > does anyone know of a good guide for getting started with openldap central authentication? I think that you are looking for freeIPA

  5. TheCoffeMaker

    tom: ☝️

  6. TheCoffeMaker

    https://www.freeipa.org/

  7. Licaon_Kter

    Oh ffs > jigasi/jitsi-videobridge affected by log4j vulnerability when callstats is enabled

  8. Licaon_Kter

    Oh ffs > jigasi&jitsi-videobridge affected by log4j vulnerability when callstats is enabled

  9. Martin

    Licaon_Kter: Do you know whether it's fixed in todays jitsi-meet update? Didn't find anything in the changelog.

  10. Holger

    Martin: https://github.com/jitsi/jitsi-videobridge/pull/1776

  11. Holger

    Seems the stable/jitsi-meet_6726 tag has that commit (cherry-picked, i.e. different commit hash).

  12. Holger

    FWIW, I couldn't easily bump log4j for our videobridge and had applied this instead: https://github.com/jitsi/jitsi-videobridge/pull/1774

  13. Martin

    I set `LOG4J_FORMAT_MSG_NO_LOOKUPS` to `true` additionally, just in case it's not yet fixed. But If they cherry-picked that commit it should be fine. Thanks. :)

  14. Licaon_Kter

    Did the same yes, albeit my build is really old :((

  15. jonas’

    Licaon_Kter: some builds ship with log4j older than 2.10 where these workarounds are not available

  16. Licaon_Kter

    Are there arm64 builds? That aside, my config needs an update as I don't use prosody...

  17. Licaon_Kter

    https://upload.convorb.im/7c370453f738f2c0c995eaee643e5e0aba76aeb0/QO0aGVTAZ0Jxlnc0tMtoL4oNdv63uTGkCKLbPRBK/c4b5996c-bc37-404d-8bd8-cbd9c31268fc.png

  18. Licaon_Kter

    Wow...this...

  19. Licaon_Kter

    (Dino pasted an image selected in Firefox... unexpected but nice)

  20. kahlb

    Licaon_Kter: you're not alone. I already posted some quick n dirty analysis to xmpp:cybersecurity@conference.netbk.de?join earlier today. What service is this from? Jitsi?

  21. Licaon_Kter

    Dunno, just saw that it can said it can be triggered with an special useragent too, which makes it...brrr

  22. Licaon_Kter

    Dunno, just saw that was said it can be triggered with an special useragent too, which makes it...brrr

  23. Licaon_Kter

    Dunno, just saw that was said it can be triggered with a special useragent too, which makes it...brrr

  24. kahlb

    You can trigger it by pretty much everything that is going to be written to a log by log4j, so it's User-Agent, chat Messages, http get/post... Kind of scary, yes. Not only server applications are on danger, clients and standalone software as well.

  25. TheCoffeMaker

    lol used to be a Java developer and later, an architect for HP, before they split in two ... All American Airlines, CenturyLink, Sprint, JPMorgan, American Tabacco, oh! and CitiCorp software too .. All of them use log4j 🤣

  26. TheCoffeMaker

    lol used to be a Java developer and later, an architect for HP, before they split in two ... All software from American Airlines, CenturyLink, Sprint, JPMorgan, American Tabacco, oh! and CitiCorp software too .. All of them use log4j 🤣

  27. moparisthebest

    TheCoffeMaker: but how many log4j2 instead of log4j1 ? :)

  28. moparisthebest

    Only 2 is vulnerable, which makes the lesson clear, never upgrade anything ever

  29. TheCoffeMaker

    > Only 2 is vulnerable, which makes the lesson clear, never upgrade anything ever lol thats worse

  30. TheCoffeMaker

    > but how many log4j2 instead of log4j1 ? :) If aint wroken dont fix it

  31. ernst.on.tour

    moparisthebest: As I know log4j1 is also vulnerable but not named because it's out-of-scope since 6 years. It contains a JMS Appender which can use JNDI As written today the JMS only load strings from remote server, not serialized objects, maybe you're are right

  32. moparisthebest

    Ah really? Yesterday I read the bug was introduced only in 2 in 2013 but that sounds like it could be a similar different one, thanks!

  33. TheCoffeMaker

    lol ... Im too old for this sh*

  34. kahlb

    log4j 1 is not vulnerable.

  35. rozzin

    So..., what exactly is the issue with log4j? It sounds like it's not just use of unsanitized input for *format strings*, but also for any string arguments that I would have expected to just get rendered by string-splicing?

  36. moparisthebest

    rozzin: correct

  37. rozzin

    Some of the writeups seem to actually be saying that, but they're saying it in non-technical language, so I wasn't sure how literally I should take those statements....

  38. rozzin

    But I've noticed what seems to be a total absense of the usual "stop passing unsanitized input strings to formatter-procedures, people!" admonitions for this.

  39. rozzin

    And the fix is "turn that feature off in log4j".

  40. rozzin

    I'm having trouble understanding..., why would anyone want a feature that treats *every* argument as a formatter with no method of escape?

  41. moparisthebest

    rozzin: this is maybe the best write-up https://www.lunasec.io/docs/blog/log4j-zero-day/

  42. moparisthebest

    But yes, it's any and every argument, and that feature can only be turned off in somewhat newer versions

  43. Licaon_Kter

    Some info here too: https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/

  44. rozzin

    moparisthebest: that is a good explanation—thanks.