Log4J

amlothi

Member
SoSH Member
Jan 5, 2007
802
Tell me the truth braniacs of SOSH. How bad is this? What should I stop using until a fix is confirmed?
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
Tell me the truth braniacs of SOSH. How bad is this? What should I stop using until a fix is confirmed?
This is really a concern for businesses and enterprises that are hosting their own applications. So if you're a hospital for instance and keep all your patient data in a web application that has the vulnerability it needs to be fixed ASAP. From an end user perspective there's not a whole lot to do except updating Minecraft.
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
Dude! Java? Really? I thought better of you
I work for a cyber security start up. We've never written a line of java code. Still had to do upgrades because of some of the Amazon services we use like elasticsearch.

This shit is everywhere.
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
Cloudflare, Crowdstrike, and Tenable are all freaking out. This seems like a huge concern.

https://www.yahoo.com/finance/global-race-patch-critical-computer-193652362.html
Don't buy into the hype out of companies selling security products and services. This is a big deal, but not because those guys say so. They stand to profit off it and want to use the sensationalization to drive increased security budgets and spending.

It's why the pharma companies are selling the biggest gloom with each new covid variant. They may actually be bad, but those guys are a horrible litmus test.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
I work for a cyber security start up. We've never written a line of java code. Still had to do upgrades because of some of the Amazon services we use like elasticsearch.

This shit is everywhere.
Yep. It’s everywhere. Elastic as you mentioned, monitoring your systems with Nagios? There too! So glad i got out of corporate security. Now I can just tell customers to go spend the next month patching.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
Don't buy into the hype out of companies selling security products and services. This is a big deal, but not because those guys say so. They stand to profit off it and want to use the sensationalization to drive increased security budgets and spending.

It's why the pharma companies are selling the biggest gloom with each new covid variant. They may actually be bad, but those guys are a horrible litmus test.
This is an awful take in this case. This is easily exploited and has a major impact. You also don’t need to pay a dime to fix it to these vendors. Trust me I deal with these companies all day long and some do sell fear but not in this case.
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
This is an awful take in this case. This is easily exploited and has a major impact. You also don’t need to pay a dime to fix it to these vendors. Trust me I deal with these companies all day long and some do sell fear but not in this case.
That is literally what I said. I said it's a big deal, but that Ale shouldn't be gauging that by those vendors coming out and making statements. Statements from corporate CISOs would carry more weight. I know that is more of Joe's background, but Cloudflare is growing they're security portfolio hard as evidenced by their CEO putting offers out for customers vs Palo just this week.
 

Ale Xander

Hamilton
SoSH Member
Oct 31, 2013
72,441
That is literally what I said. I said it's a big deal, but that Ale shouldn't be gauging that by those vendors coming out and making statements. Statements from corporate CISOs would carry more weight. I know that is more of Joe's background, but Cloudflare is growing they're security portfolio hard as evidenced by their CEO putting offers out for customers vs Palo just this week.
Sorry for my poor grammar. My second sentence wasn’t a function of the first.
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
Sorry for my poor grammar. My second sentence wasn’t a function of the first.
They are probably licking their chops more than they're freaking out.

Don't have time or resources to patch your externally facing sites? Cloudflare WAF can block the exploit.

Think you may have already been impacted? CrowdStrike IR can determine for sure and kick them out if they're in there.
 

amlothi

Member
SoSH Member
Jan 5, 2007
802
This is really a concern for businesses and enterprises that are hosting their own applications. So if you're a hospital for instance and keep all your patient data in a web application that has the vulnerability it needs to be fixed ASAP. From an end user perspective there's not a whole lot to do except updating Minecraft.
My assumption is this is in more than just Minecraft. Are there other things the general public should be cautious of, or are we not there yet because the focus is on exploiting big companies right now?

And, out of curiosity more than personal concern, is there risk to high profile individuals, activists, political opponents and organizations, or others who might be a worthwhile target?
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
My assumption is this is in more than just Minecraft. Are there other things the general public should be cautious of, or are we not there yet because the focus is on exploiting big companies right now?

And, out of curiosity more than personal concern, is there risk to high profile individuals, activists, political opponents and organizations, or others who might be a worthwhile target?
The general public, no, as an end user, you shouldn't really worry about this at all.

If you work in IT infrastructure or security you should be extremely worried about it and you're probably already working on it.

This is more of a server side thing that would be used to target corporate networks. It's unlikely to get to the level of impacting any individual even if high profile, unless it came out of a data dump from some company that got hacked by way of this vulnerability.
 

OfTheCarmen

Cow Humper
SoSH Member
Jul 18, 2007
5,208
I'm glad I'm on not on-call this weekend. Saw a ton of emails/invites come out today for us on this.

Edit - Big insurance in CT
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
The general public, no, as an end user, you shouldn't really worry about this at all.

If you work in IT infrastructure or security you should be extremely worried about it and you're probably already working on it.

This is more of a server side thing that would be used to target corporate networks. It's unlikely to get to the level of impacting any individual even if high profile, unless it came out of a data dump from some company that got hacked by way of this vulnerability.
Here's a starting point of affected software:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Makes it pretty clear why this is a corporate problem and not a home end user problem.

Hardly any companies out there aren't running some form of one of these products or a product that is using one of these products.