# Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet



## DeathtoGnomes (Dec 11, 2021)

Yes another one of these ... things about Java runtimes and Apache servers.

What peaked my attention was the fact that they started with Java-based Minecraft Clients and Servers, easiest to target? Maybe someone holding a personal grudge? Meh, no big loss.   Good thing for those gamers there is supposedly a patch out already.

There are more details in the article so I wont post them all. There was a tracking number by Bighub, wait! I meant Github ( https://github.com/advisories/GHSA-jfh8-c2jp-5v3q ).


Summary from Github.


> Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
> As per Apache's Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.


----------



## Selaya (Dec 13, 2021)

natural selection inc


----------



## trparky (Dec 14, 2021)

As much as this is probably going to anger some people around here but open source doesn't solve every little thing. Open source people like to claim that just because there's a thousand eyes looking at the code, magically it's going to be more secure than closed source code. It's like they use open source like a magic wand, *bop* and it's instantly secure. Well, in the real world it doesn't work like that. People need to actually be reading the code and let's face facts here people, reading someone else's code is a tedious and boring job that unless I was being paid to do it, I wouldn't be doing it. Sorry, but that's the truth.

Now, before the lot of you reach for your pitchforks and torches, I'm not saying that closed source is good either. Microsoft deserves every bit of the criticism that they receive and a metric ton more. And then we Apple iOS. Yikes. Nine separate kernel-level vulnerabilities that could be used to gain kernel-level privileges. Yikes.


----------



## thesmokingman (Dec 14, 2021)

They had a brain fart when they decided to give it that functionality, total /facepalm  territory.


----------



## R-T-B (Dec 14, 2021)

trparky said:


> It's like they use open source like a magic wand, *bop* and it's instantly secure.


It's not.  It's more an argument that it's more LIKELY to be secure than a closed source product which is operating on the same magic wand principle with even less justification.

Finding things like this is what makes open source superior.  In closed source, this same bug would exist, hackers may even be aware of it, but it will likely remain a public unknown.


----------



## trparky (Dec 14, 2021)

R-T-B said:


> It's not.  It's more an argument that it's more LIKELY to be secure than a closed source product which is operating on the same magic wand principle with even less justification.


Try visiting Slashdot, it's like walking into a meeting of the zealots.


----------



## R-T-B (Dec 14, 2021)

trparky said:


> Try visiting Slashdot, it's like walking into a meeting of the zealots.


I prefer to meet and talk to individuals, not groups.



thesmokingman said:


> They had a brain fart when they decided to give it that functionality, total /facepalm  territory.


Code execution?  That's pretty standard in uh...  code.  The problem is it's being hijacked.


----------



## trparky (Dec 19, 2021)

I'm going to just leave this here...
Who's Paying to Fix Open Source Software? - Slashdot


----------



## R-T-B (Dec 19, 2021)

trparky said:


> I'm going to just leave this here...
> Who's Paying to Fix Open Source Software? - Slashdot


As I said, but it was removed, the closed source zero-cost alternative is a lot worse (generally comes from bittorrent and with free additonal viruses).  Don't expect something for nothing, is the summary of your lesson.  That's sort of a "no shit sherlock" moment.

That's directed more at big business than you, to be clear.


----------



## trparky (Dec 20, 2021)

Well then, it’s time for big business to pay their dues to the open source community. You like something? You want to use it? Cool. We have no problem with that but you’re morally obligated to pay for said library.

Relying on big business to throw you a couple of bits in the offertory plate isn’t working. Big business is essentially using open source developers as free labor and that’s wrong.


----------



## Divide Overflow (Dec 20, 2021)

Java.  The gift that keeps on giving.


----------



## trparky (Dec 20, 2021)

At just about the nine-minute mark I had a real "oh fuck, that's how the exploit works" moment. He didn't even have to explain it for me when I realized that if given malformed user input, the vulnerability could be used to trigger this exploit. It's similar to just about any vulnerability that involves malformed user input such as an SQL injection vulnerability.

So of course, I now have to wonder why in God's name did someone not check to see if the JNDI server is a trusted server or even prevent user input from containing a JNDI string. It really all comes down to simple user input sanitization. Don't trust user input, always assume that it's tainted and treat it as such.

OK, at the fourteen-minute mark I had another "oh fuck" moment. This vulnerability can be used to do God knows what.

Oh freakin' lovely...








						More Than 35,000 Java Packages Impacted by Log4j Vulnerabilities, Google Says - Slashdot
					

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell...



					tech.slashdot.org


----------



## R-T-B (Dec 22, 2021)

Divide Overflow said:


> Java.  The gift that keeps on giving.


It has it's uses.  That said, I think it did better when Sun cared for it over Oracle.  And it never should've been a web-plugin.  That was dumbassery of the highest level.


----------



## trparky (Dec 22, 2021)

R-T-B said:


> And it never should've been a web-plugin. That was dumbassery of the highest level.


ActiveX was worse.


----------



## Vayra86 (Dec 22, 2021)

trparky said:


> Well then, it’s time for big business to pay their dues to the open source community. You like something? You want to use it? Cool. We have no problem with that but you’re morally obligated to pay for said library.
> 
> Relying on big business to throw you a couple of bits in the offertory plate isn’t working. Big business is essentially using open source developers as free labor and that’s wrong.



No, don't let them get their fingers on it with the eternal money trap. Rather, let big business use open source more. Its a way to maintain control, and have healthier division of power between end user/consumer/civilian and corporate. Its easy to print money. But you can't print applied knowledge and experience, nor workforce.

Money & Power corrupts. Its the whole reason modding is still worth looking at - its not infested by commerce.


----------



## trparky (Dec 23, 2021)

Well then what's your answer in giving people the support that they need to keep maintaining said open source projects? People need to eat you know, they need a roof over their heads, etc. Suffice it to say, Log4J is a rather small project that as we've seen, the whole world runs on yet the developers of it were paid nearly nothing for their work. How do you solve that?


----------



## Caring1 (Dec 23, 2021)

trparky said:


> Well then what's your answer in giving people the support that they need to keep maintaining said open source projects? People need to eat you know, they need a roof over their heads, etc. Suffice it to say, Log4J is a rather small project that as we've seen, the whole world runs on yet the developers of it were paid nearly nothing for their work. How do you solve that?


He/she should be paid royalties for their work.


----------



## trparky (Dec 24, 2021)

Caring1 said:


> He/she should be paid royalties for their work.


How do you enforce that?


----------



## R-T-B (Jan 10, 2022)

trparky said:


> How do you enforce that?


You'd need a license that declares it, for starters.


----------



## trparky (Jan 13, 2022)

R-T-B said:


> You'd need a license that declares it, for starters.


And what is that?

And then we have this...








						Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
					

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's more to the story.




					www.bleepingcomputer.com


----------



## R-T-B (Jan 13, 2022)

trparky said:


> And what is that?


You'd write your terms and put them online?

I'll quote your article:



> If you have problems with business using your free code for free, don't publish free code.


----------



## trparky (Jan 13, 2022)

R-T-B said:


> You'd write your terms and put them online?


How do you legally protect yourself? How do you go up against these multimillion-dollar companies with lawyers chained up in their basements?

I can't help but feel for these open source developers and how they feel that they're basically being screwed (without any lube). Yes, I feel empathy for these people. Who wouldn't?


----------



## R-T-B (Jan 13, 2022)

trparky said:


> How do you legally protect yourself?


You are asking for legal advice?  I think you know the answer and it applies to all developers who want to enforce a commercial license.

If you don't want to make money on your code you can use open source licensing.  But expecting money off of it is dumb as a box of rocks.  You know the license you picked.



trparky said:


> Who wouldn't?


Me?  I mean, they thought this was about money when they chose "LGPL" or similar?  Friggin lol.

If they feel overworked, the cool thing about not being employed is no one can MAKE you fix it either.


----------



## trparky (Jan 13, 2022)

Dude, that's really lacking empathy for your fellow human here.

There has to be some kind of middle ground here. Something that allows your code to be open yet if someone wants to use it in a commercial product, that said company is legally required to compensate said developer in some kind of way.


----------



## R-T-B (Jan 13, 2022)

trparky said:


> Dude, that's really lacking empathy for your fellow human here.


I'm a coder (I do OSS too) and if you don't know what a license does, my best advice for my fellow human is to open a wikipedia page and get up to speed.



trparky said:


> Something that allows your code to be open yet if someone wants to use it in a commercial product, that said company is legally required to compensate said developer in some kind of way.


That's the GPL.  Commercial sale of code not allowed.  LGPL, MIT, etc allows commercial.  I have no idea why people worried about this don't just select GPLv3 and be done with it.

QT framework operates on such a license.


----------



## trparky (Jan 13, 2022)

R-T-B said:


> That's the GPL. Commercial use not allowed.


But who's going to enforce it? Unless you have an army of lawyers behind you, you have less than a snowball's chance in Hell of going up against say... Google or Amazon.


----------



## R-T-B (Jan 13, 2022)

trparky said:


> But who's going to enforce it? Unless you have an army of lawyers behind you, you have less than a snowball's chance in Hell of going up against say... Google or Amazon.


The Free Software Foundation typically offers to pursue violations legally on your behalf.  They even have a report hotline.

The only place this tends not to work is places embedded deeply in the trenches of where western law cannot reach.


----------



## trparky (Jan 13, 2022)

R-T-B said:


> The Free Software Foundation typically offers to pursue violations legally on your behalf.  They even have a report hotline.


Good point. I'm just seeing this situation from the point of view of a card-carrying cynical bastard.


----------



## R-T-B (Jan 13, 2022)

trparky said:


> Good point. I'm just seeing this situation from the point of view of a card-carrying cynical bastard.


Fair enough.  I have days where I carry that card too lol.


----------



## trparky (Jan 13, 2022)

R-T-B said:


> Fair enough.  I have days where I carry that card too lol.


And unfortunately, I find myself carrying that card more often than not. If there's anything that this world has taught me well, it's that this world will f**k you over the first chance it gets and smile about it afterwards.


----------



## Vayra86 (Jan 13, 2022)

trparky said:


> And unfortunately, I find myself carrying that card more often than not. If there's anything that this world has taught me well, it's that this world will f**k you over the first chance it gets and smile about it afterwards.


Its the only realistic card to carry, but it doesn't work when you try to apply it to individuals you personally meet.

That's what makes carrying it so hard. Its best to carry it, not tell anyone, and still always try to do the right thing...


----------

