[HN Gopher] CVE-2021-44832: New Log4j 2 vulnerability ___________________________________________________________________ CVE-2021-44832: New Log4j 2 vulnerability Author : xaner4 Score : 53 points Date : 2021-12-28 22:06 UTC (53 minutes ago) (HTM) web link (nvd.nist.gov) (TXT) w3m dump (nvd.nist.gov) | Sebguer wrote: | The worst part of these major vulnerabilities is the endless | follow-on stream of knee-jerk 'CVE' that are clearly nothing- | burgers, and yet will be described as a 'new Log4j' | vulnerability, and cause a bunch of people who don't know better | to panic. | formerly_proven wrote: | Eh, that sounds like it's not a vulnerability at all. Most app | server configuration files allow you to load and run arbitrary | code. | phoronixrly wrote: | Yeah, maybe should be mentioned in the title to save people | from PTSD over the holidays... | xaner4 wrote: | If I could have have changed the title I would have added | something to make it give less PTSD | jet390 wrote: | If you've been impacted by these log4j vulnerabilities, have a | look at aegis4j, a Java agent that completely disables platform | features you don't use, before an attacker uses them against you | (including e.g. JNDI and Java serialization). | | https://github.com/gredler/aegis4j/ | jfoutz wrote: | I've just started looking, and I'm not an expert. | | The key point here is log4j can get configuration a lot of | different ways, including a network request. Based on | https://logging.apache.org/log4j/2.x/manual/configuration.ht... | control over dns would let you rewrite sections of config, and | thus run arbitrary code. | | So, if you've got some access, this would allow you to escalate | that access to a full RCE. I think that's why it's only Medium | severity. | NicolaiS wrote: | "Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a | remote code execution attack _if an attacker with permission to | modify the logging configuration file_ can construct a malicious | configuration " | rst wrote: | The threat here is that "an attacker with permission to modify | the logging configuration file can construct a malicious | configuration". If the attacker can modify server config files, | this particular log4j fixup is likely to still leave you with | nasty problems. | jfoutz wrote: | yes that would be true. Unfortunately log4j doesn't get | configuration exclusively from config files on the server where | it's running. this doesn't look like no access to full RCE like | the first few rounds. But this might let an attacker turn a | small exploit into a big exploit. ___________________________________________________________________ (page generated 2021-12-28 23:00 UTC)