hngopher.com

       [HN Gopher] CVE-2021-44832: New Log4j 2 vulnerability
       ___________________________________________________________________
        
       CVE-2021-44832: New Log4j 2 vulnerability
        
       Author : xaner4
       Score  : 53 points
       Date   : 2021-12-28 22:06 UTC (53 minutes ago)
        
 (HTM) web link (nvd.nist.gov)
 (TXT) w3m dump (nvd.nist.gov)
        
       | Sebguer wrote:
       | The worst part of these major vulnerabilities is the endless
       | follow-on stream of knee-jerk 'CVE' that are clearly nothing-
       | burgers, and yet will be described as a 'new Log4j'
       | vulnerability, and cause a bunch of people who don't know better
       | to panic.
        
       | formerly_proven wrote:
       | Eh, that sounds like it's not a vulnerability at all. Most app
       | server configuration files allow you to load and run arbitrary
       | code.
        
         | phoronixrly wrote:
         | Yeah, maybe should be mentioned in the title to save people
         | from PTSD over the holidays...
        
           | xaner4 wrote:
           | If I could have have changed the title I would have added
           | something to make it give less PTSD
        
       | jet390 wrote:
       | If you've been impacted by these log4j vulnerabilities, have a
       | look at aegis4j, a Java agent that completely disables platform
       | features you don't use, before an attacker uses them against you
       | (including e.g. JNDI and Java serialization).
       | 
       | https://github.com/gredler/aegis4j/
        
       | jfoutz wrote:
       | I've just started looking, and I'm not an expert.
       | 
       | The key point here is log4j can get configuration a lot of
       | different ways, including a network request. Based on
       | https://logging.apache.org/log4j/2.x/manual/configuration.ht...
       | control over dns would let you rewrite sections of config, and
       | thus run arbitrary code.
       | 
       | So, if you've got some access, this would allow you to escalate
       | that access to a full RCE. I think that's why it's only Medium
       | severity.
        
       | NicolaiS wrote:
       | "Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a
       | remote code execution attack _if an attacker with permission to
       | modify the logging configuration file_ can construct a malicious
       | configuration "
        
       | rst wrote:
       | The threat here is that "an attacker with permission to modify
       | the logging configuration file can construct a malicious
       | configuration". If the attacker can modify server config files,
       | this particular log4j fixup is likely to still leave you with
       | nasty problems.
        
         | jfoutz wrote:
         | yes that would be true. Unfortunately log4j doesn't get
         | configuration exclusively from config files on the server where
         | it's running. this doesn't look like no access to full RCE like
         | the first few rounds. But this might let an attacker turn a
         | small exploit into a big exploit.
        
       ___________________________________________________________________
       (page generated 2021-12-28 23:00 UTC)