Andy Ringsmuth wrote on 11/12/2021 03:54:
The intricacies of Java are over my head, but I’ve been reading about this
Log4j issue that sounds pretty bad.
What do we know about this? What, if anything, can a network operator do to
help mitigate this? Or even an end user?
The payload can be contained in https, so there is no way of detecting /
stopping this at the network level. Installations need to be upgraded /
fixed.
https://logging.apache.org/log4j/2.x/security.html
1. upgrade log4j to 2.15.0 and restart all java apps
2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment
variable (v2.10+ only)
4. zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
There's a lot of scanning going on at the moment, so if you have an
exposed java instance running something which includes log4j2, you may
already be compromised.
Nick
