× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2021

Re: Remote code execution exploit found in Log4j .....

The log4j jars typically have rev numbers associated with them.
Are they log4j2.x? if so you should examine.
jar -tf foo.jar shows you all the classes in foo.jar.
Is JndiLookup.class in there? That's the naughty.
If they're log4j1.x they're out of date and have their own (unrelated)
issues.
But again, Java puts archives inside archives.
You have to unpack .ear and .war files and see if they have a log4j*.jar
file inside.

"It's complicated."


On Tue, Dec 14, 2021 at 7:23 PM K Crawford <kscx3ksc@xxxxxxxxx> wrote:

I also ran the SQL script. I got 32 hits.
Now what do I do with that list?

On Tue, Dec 14, 2021 at 5:38 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

Brad,

They don't need credentials because the malicious code runs in the same
context as the Java app with a vulnerable version of log4j.

The full vulnerability, older JVM + log4j2, is really bad as the
malicious actor gets to load & run his/her own code from a remote server.

As I understand it, with a newer JVM, it's not quite as bad, given that
the
malicious actor has to find and mis-use a local java class; however, From
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

References and object construction with factories are still supported,
just remote codebases are prohibited. Michael Stepankin in
https://www.veracode.com/blog/research/exploiting-jndi-injections-java
describes
how the Apache XBean *BeanFactory* can be used in a returned Reference
to
achieve code execution. This class has to be locally available on the
targeted system, however, it is for example included in Apache Tomcat.
If
your application runs in Tomcat, bad luck.
https://github.com/veracode-research/rogue-jndi also has another
vector
for WebSphere.


Now I am not a Java guru, nor have I really spent any time working on how
to maliciously work an IBM i...so I can't give you a step by step or a
hard
example. But I can say that my repo on our dev box with code for running
Apache Camel & Kafka on the IBM i popped up on our security teams radar.

Luckily, most malicious actors concentrate on Windows/Linux. But I'm
willing to bet some of them are familiar with the IBM i.

Charles


On Tue, Dec 14, 2021 at 1:38 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

Thanks for clipping this from my post:

Not a hypothetical.. real world. Maybe if you found it on your
system..
step us through how someone could cause harm without having credentials
to
your system.

Thanks..... maybe there will be another TP shortage because of this...

On Tue, Dec 14, 2021 at 12:50 PM Jack Woehr via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

On Tue, Dec 14, 2021 at 11:40 AM Brad Stone <bvstone@xxxxxxxxx>
wrote:

Anyone care to share a real world example of how this would hurt
someone
on
the IBM i? From what I understand it requires a lot of
variables...
one
being that the attacker needs to be able to inject commands into
the
logger.






https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

--
Jack Woehr, IBM Champion 2021
<



https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url

Absolute Performance, Inc.
12303 Airport Way, Suite 100
Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all
attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you
received
this communication in error, please contact the sender and
delete/destroy
all copies of this communication immediately.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com



--
KCrawford
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.