-
moparisthebest
https://github.com/YfryTchsGD/Log4jAttackSurface excellent
-
rozzin
moparisthebest: what...
-
moparisthebest
rozzin: what?
-
TheCoffeMaker
> does anyone know of a good guide for getting started with openldap central authentication? I think that you are looking for freeIPA
-
TheCoffeMaker
tom: ☝️
-
TheCoffeMaker
https://www.freeipa.org/
-
Licaon_Kter
Oh ffs > jigasi/jitsi-videobridge affected by log4j vulnerability when callstats is enabled✎ -
Licaon_Kter
Oh ffs > jigasi&jitsi-videobridge affected by log4j vulnerability when callstats is enabled ✏
-
Martin
Licaon_Kter: Do you know whether it's fixed in todays jitsi-meet update? Didn't find anything in the changelog.
-
Holger
Martin: https://github.com/jitsi/jitsi-videobridge/pull/1776
-
Holger
Seems the stable/jitsi-meet_6726 tag has that commit (cherry-picked, i.e. different commit hash).
-
Holger
FWIW, I couldn't easily bump log4j for our videobridge and had applied this instead: https://github.com/jitsi/jitsi-videobridge/pull/1774
-
Martin
I set `LOG4J_FORMAT_MSG_NO_LOOKUPS` to `true` additionally, just in case it's not yet fixed. But If they cherry-picked that commit it should be fine. Thanks. :)
-
Licaon_Kter
Did the same yes, albeit my build is really old :((
-
jonas’
Licaon_Kter: some builds ship with log4j older than 2.10 where these workarounds are not available
-
Licaon_Kter
Are there arm64 builds? That aside, my config needs an update as I don't use prosody...
-
Licaon_Kter
https://upload.convorb.im/7c370453f738f2c0c995eaee643e5e0aba76aeb0/QO0aGVTAZ0Jxlnc0tMtoL4oNdv63uTGkCKLbPRBK/c4b5996c-bc37-404d-8bd8-cbd9c31268fc.png
-
Licaon_Kter
Wow...this...
-
Licaon_Kter
(Dino pasted an image selected in Firefox... unexpected but nice)
-
kahlb
Licaon_Kter: you're not alone. I already posted some quick n dirty analysis to xmpp:cybersecurity@conference.netbk.de?join earlier today. What service is this from? Jitsi?
-
Licaon_Kter
Dunno, just saw that it can said it can be triggered with an special useragent too, which makes it...brrr✎ -
Licaon_Kter
Dunno, just saw that was said it can be triggered with an special useragent too, which makes it...brrr ✏
-
Licaon_Kter
Dunno, just saw that was said it can be triggered with a special useragent too, which makes it...brrr ✏
-
kahlb
You can trigger it by pretty much everything that is going to be written to a log by log4j, so it's User-Agent, chat Messages, http get/post... Kind of scary, yes. Not only server applications are on danger, clients and standalone software as well.
-
TheCoffeMaker
lol used to be a Java developer and later, an architect for HP, before they split in two ... All American Airlines, CenturyLink, Sprint, JPMorgan, American Tabacco, oh! and CitiCorp software too .. All of them use log4j 🤣✎ -
TheCoffeMaker
lol used to be a Java developer and later, an architect for HP, before they split in two ... All software from American Airlines, CenturyLink, Sprint, JPMorgan, American Tabacco, oh! and CitiCorp software too .. All of them use log4j 🤣 ✏
-
moparisthebest
TheCoffeMaker: but how many log4j2 instead of log4j1 ? :)
-
moparisthebest
Only 2 is vulnerable, which makes the lesson clear, never upgrade anything ever
-
TheCoffeMaker
> Only 2 is vulnerable, which makes the lesson clear, never upgrade anything ever lol thats worse
-
TheCoffeMaker
> but how many log4j2 instead of log4j1 ? :) If aint wroken dont fix it
-
ernst.on.tour
moparisthebest: As I know log4j1 is also vulnerable but not named because it's out-of-scope since 6 years. It contains a JMS Appender which can use JNDI As written today the JMS only load strings from remote server, not serialized objects, maybe you're are right
-
moparisthebest
Ah really? Yesterday I read the bug was introduced only in 2 in 2013 but that sounds like it could be a similar different one, thanks!
-
TheCoffeMaker
lol ... Im too old for this sh*
-
kahlb
log4j 1 is not vulnerable.
-
rozzin
So..., what exactly is the issue with log4j? It sounds like it's not just use of unsanitized input for *format strings*, but also for any string arguments that I would have expected to just get rendered by string-splicing?
-
moparisthebest
rozzin: correct
-
rozzin
Some of the writeups seem to actually be saying that, but they're saying it in non-technical language, so I wasn't sure how literally I should take those statements....
-
rozzin
But I've noticed what seems to be a total absense of the usual "stop passing unsanitized input strings to formatter-procedures, people!" admonitions for this.
-
rozzin
And the fix is "turn that feature off in log4j".
-
rozzin
I'm having trouble understanding..., why would anyone want a feature that treats *every* argument as a formatter with no method of escape?
-
moparisthebest
rozzin: this is maybe the best write-up https://www.lunasec.io/docs/blog/log4j-zero-day/
-
moparisthebest
But yes, it's any and every argument, and that feature can only be turned off in somewhat newer versions
-
Licaon_Kter
Some info here too: https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/
-
rozzin
moparisthebest: that is a good explanation—thanks.