Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Java Security

Security Firm Blumira Discovers Major New Log4j Attack Vector (zdnet.com) 91

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants.
Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "
This discussion has been archived. No new comments can be posted.

Security Firm Blumira Discovers Major New Log4j Attack Vector

Comments Filter:
  • It's almost Xmas. Take it all off-line, shut it down, have a few days off and patch before the new year. Unless you work for Amazon.
    • I think it's safe to say that this log4j module is a steaming piece of garbage and all software devs who use it should remove it. At this point things are getting absurd on the verge of ridiculous. How much more time are people going to have to waste on this (during the start of the holidays no less)
      • by alexgieg ( 948359 ) <alexgieg@gmail.com> on Saturday December 18, 2021 @04:32AM (#62093423) Homepage

        Don't blame the module, it's a tiny tool made as a hobby by a few developers on their spare time. Blame the huge multi-billionaire corporations who grab it, see the permissive license, think "cool! we can spare a few cents!", and never bother, you know, paying someone to do security audits and hardening of the free tools they came to so desperately and thoroughly depend upon.

        • by Entrope ( 68843 ) on Saturday December 18, 2021 @07:45AM (#62093765) Homepage

          I blame Randall Munroe for foreseeing this: https://xkcd.com/2347/ [xkcd.com]

        • In my experience, many bottom-of-the-totem-pole developers are just as quick to grab free tools whenever they can. I have found the attitude to be pervasive, and in fact it seems like blind faith in free code is more the norm.

          Don't get me wrong. I am a Linux user myself. I think open source is awesome! But when it comes to my professional work, I tend to think that we should code things ourselves whenever we can, and only rely on others (paid or free) when the nature of the task is outside of our skills

          • I think this comes from unit tests. In house devs don't want to write unit tests, and they don't have to write any tests after adding 200,000 lines of code of open source software to the project.

            Devs don't want to admit they just don't want to write tests, so they come up with sophistry to convince themselves it's not their own failures.

          • by flink ( 18449 ) on Saturday December 18, 2021 @10:56AM (#62094085)

            A couple of things. For a modern backend enterprise server web application that might have to parse html, xml, json, and maybe a few other domain specific languages, speak ldap, some SQL dialect, https, websockets and who knows what else - if you have to code all that baseline functionality yourself, you will never get to the point of making it do anything useful before you are out of business. Instead you build on top of something like Spring Framework, which might pull in a couple of dozen of free libraries, you build in a dependency vulnerability checker into your build process, and you cross your fingers.

            As far as logging goes. Yes it is an easy thing to build yourself. What is trickier is orchestrating the log output of all the libraries you pull in so they are all logging to the same place and in the same format. That is why most projects link in a logging lib. Then you just provide a config file for that lib and you've configured the logging for all your modules. These days most projects target slf4j which is a meta logging lib. It provides a common API and you can plug in whatever logging library you want at compile time by linking in that log lib and the appropriate slf4j bridge.

        • by flink ( 18449 )

          log4j is an Apache foundation managed project. Those usually come with some minimum expectation of quality. Now given that, this bug was out there for a really long time and no one found it before, so I can't really blame them.

      • Re: (Score:3, Interesting)

        by gweihir ( 88907 )

        I think it's safe to say that this log4j module is a steaming piece of garbage and all software devs who use it should remove it. At this point things are getting absurd on the verge of ridiculous. How much more time are people going to have to waste on this (during the start of the holidays no less)

        Actually the steaming pile here is Java and its broken design. The problem is that with the stupid paradigms pushed, JNDI needs to try really hard to find a class now. Of course, it tries hard for an attacker as well and that is something that the morons behind the whole approach obviously never considered.

        • The issue here is architectural for sure. But it was resolved a decade ago! Local resource and remote resources are different things. For certain resources (i.e. file system), accessing remote resources transparently seemed like a good idea (who cares where the data is stored, just give me a URL). You should also be able to see why this is convenient for other resources. i.e. Look up something in JNDI which is determined by application configuration. For testing, I have some hard-coded username/passw
          • Re: (Score:3, Interesting)

            by gweihir ( 88907 )

            There is also a meta-problem: Why did this functionality get into JNDI in the first place and why was it so easy to activate or on by default?

            This rather strongly points to designers that have no clue about security and that will have screwed up in other places as well and that will screw up again. KISS is king when you need security. JNDI is the very anti-thesis to KISS, even if this particular instance of "too helpful complexity" is hopefully now fixed.

            • I think I addressed that in some of my other posts, but the original Java designs happened at a time when many of these problems were not well understood. There have been many Java exploits over the years. Some of them were just tactical bugs (memory overflows, et cetera). Many were architectural. The platform has matured and evolved. By today's standards, the original Java design is "broken" (as pointed out by the poster to whom I replied). By today's standards, any design from ten or twenty (or twen
              • by gweihir ( 88907 )

                By today's standards, any design from ten or twenty (or twenty five in the case of Java) is broken.

                Not at all. UNIX for example is not. X11 is not even if it is a close thing. OpenSSH (22 years old) is not. Incidentally, C is not. (C++ is, but that is a different discussion.) And a lot of other things are not. Yes, all of these received fixes on implementation level. There may even have been some design changes. But the designs were sound right from the start, because they were done by people with a clue.

                The actual reality is that the Java design is shoddy right from the start and cannot be fixed. It is

                • You do realize there have been 2722 CVEs filed against the Linux Kernel ( https://www.cvedetails.com/vul... [cvedetails.com] ) vs 674 CVEs filed against Java.

                  The design of the Linux kernel is anything but ideal from a security standpoint. You should go back and read some of the back-and-forth between Linux and Tannenbaum.

                  OpenSSH has had plenty of pretty serious exploits as well. https://cve.mitre.org/cgi-bin/... [mitre.org]

                  This is a case where preconceived ideas are impacting the response to data. Java was leaps and bounds

                  • by gweihir ( 88907 )

                    You do not understand what you are talking about. Counting CVEs is not a useful metric in any way. For the Linux kernel, it is mostly divers and there are a lot of drivers in it. Also, have you actually _read_ the CVEs for OpenSSH? They concern obscure border cases, non-standard uses and the like. OpenSSH has not had a serious vulnerability in ages.

                    As to why Java became popular: Despite being an utter crappy language, it allowed low-skill people to get something to actually run. C will nicely block the utte

                    • Was a bit unfortunate. Things like JNDI should have been put in standard libraries that can be replaced. That was one of the few good things about C.

                      But the Log4j evilness was to be looking stuff up in the first place, and to do it on the full log text.

                      I use my own shim in front of Java logging. It can then go to either SLF4J or Apache Commons that my users may want, which in turn goes into a base logging system. Complexity plus! But it means that I can sanitize the log messages, kill all "${" and so s

  • It's getting near XMas!!! Couldn't they wait and talk about this in January. I pity the foo who's gonna have to spend XMas eve on VPN patching shit ... And I'm that foo, too.

  • I was too busy ignoring all the time and advice and wrote my stuff with C++.

    Oatpp running my sites just fine using my own logging mechanism.

    • I few years ago management where I was doing a job decided they were going to remove all Java from their network as a security measure. However the old Java developers made the case that there was no way we could do everything in anything else but Java. So it stayed. I wonder if this incident will be enough to give management more backbone when it comes to sticking with security based decisions.
      • Re: (Score:3, Informative)

        by Rockoon ( 1252108 )
        The Java developers got away with lying.

        Ask yourself why that is, and what predictions you can make about the future of this company. Can you tell us where this was so that we can sell the stock?
        • Re:C++, dont care (Score:5, Interesting)

          by ArmoredDragon ( 3450605 ) on Friday December 17, 2021 @11:30PM (#62093057)

          Maybe. Maybe not. Depends on the parameters. Are there any closed source libraries that they have to use in order to work with some legacy system that some finicky asshole in a high place refuses to let go of? If so, good luck getting rid of it until said asshole either quits or is fired. I guess you could reverse engineer it, but that might get expensive, and add that cost on top of whatever it costs to either train or replace your aging and soon to be obsoleted java developers.

          Java as a language is a shitshow to competent developers that know that most other languages beat the hell out of it when it comes to its crappy tooling and even crappier needlessly verbose syntax. The JRE is an even bigger shitshow for system admins that have to put up with its constantly breaking shit for no obvious reason, or needing to run two pieces of legacy software that require two different versions of the JRE on the same server.

          If you've had the misfortune of wearing both of those hats, you'll hate Java even more. Oh and how about the newer versions of log4j breaking older stuff and the fixes won't be backported? Yeah, that's always fun.

          • 100% I've worn many hats of that colour. Making things work for the people that sign your paychecks doesn't always mean making it safe. I like to explain it as tools or toys; which do you prefer?
          • by jmccue ( 834797 )

            add that cost on top of whatever it costs to either train or replace your aging and soon to be obsoleted java developers.

            COBOL just saying "Hi" to Java.

          • Java as a language is a shitshow to competent developers

            For the purposes of this exercise I'm going to assume that you're advocating for using Haskell as the development language for high-level information processing and a little bit of C and/or assembler for low-level bit or I/O manipulation, because any other assumption would lead me to believe you're an assistant junior test developer.

            • No, I've never actually used Haskell. Now Kotlin, there's a good Java replacement, though it still needs the JRE sadly, unless circumstances permit you to build native binaries. C# does a lot of things a lot better than Java does as well, and the tooling and the framework are so much easier to work with for everybody involved on any platform (linux, windows, and mac all work well), though it's not necessarily the right language (like say, needing to interact with other Java code.) C# improved upon Java, and

        • The Java developers got away with lying.
          Lying about what?

          Sure you can rewrite software in any language.

          But considering that your software might be only 100k lines, it might pull in a few million lines of libraries. You have to rewrite those, too.

          People with your ignorant comments, usually lack the expertise to write such libraries ...

  • Hmmm (Score:5, Funny)

    by Waffle Iron ( 339739 ) on Friday December 17, 2021 @09:22PM (#62092841)

    I'm not sure this is specifically what they had in mind back when they penned the slogan "Write once, run anywhere!"

    • Re:Hmmm (Score:4, Insightful)

      by Rockoon ( 1252108 ) on Friday December 17, 2021 @10:13PM (#62092937)
      Every single one of these "web infrastructure" bug stories are about monolithic packages, such as this, that try to do way more than one thing well.

      Log4j has a plugin system, and that alone should give pause w.r.t. security since now plugins are also a vector.
      Log4j supports 3 different configuration formats (xml, json, yaml) because why not take the opportunity to complicate things.
      Log4j is many api's rolled into one as it presents multiple different apis as desired to be a replacement for other logging libraries, such as the original java.util.logging api. Having many different interaction methods rooted in other peoples libraries of differing capabilities, doesnt complicate things either, right?

      All these monoliths are disasters waiting to happen. Even if you yourself vet every line of code, thats just one version, what about the next? The monolith grows.
    • It works on anything. So does anal sex. You might not like it though. Idiots need to remember that we did everything before Java was invented, including e-commerce and streaming media, on-demand, etc etc. where the *SERVER* did the heavy computing and not the client.

  • by Junta ( 36770 ) on Friday December 17, 2021 @09:30PM (#62092855)

    I look forward to another round of emergency meetings where my group is again drilled by a bunch of review teams and we again mention that we don't actually have java runtimes in any of our services, and probably get told to run a new suite of scanners for log4j vulnerabilities anyway, 'just in case'. Now not only during off hours but while everyone is supposed to be on vacation.

    • Re:Oh hurray (Score:5, Insightful)

      by Rockoon ( 1252108 ) on Friday December 17, 2021 @10:19PM (#62092943)
      If you have scheduled a vacation, dont let them get away with taking it away from you. Leave if you must. My guess is if you stand your ground they will also, but when you actually quit, they will reverse course immediately, because remember they got nobody but you to do that thing already, and now they are faced with adding all the things you do to the list of things they gotta find someone else to do. Easier to just get that someone else to do that one thing.
      • by Junta ( 36770 )

        Eh, I'm being a touch melodramatic about what might amount to 30 minutes of time, annoying spread across 4 independent groups requesting. I'm generally able to hold 40 hour work weeks and take plenty of my vacation without incident, with maybe 3 or 4 interruptions a year. The nature of the log4j interruptions annoyed me more as it was panic over not applicable and this sort of BS interruption has happened twice that I can recall over the years I've worked there.

    • I understand that some want to be conservative about security auditing, and it's better to err on the safe side.

      But when they need to check "just in case" a Java runtime was magically installed by accident, and can't determine that with a quick check based on their existing processes, then that tells me the existing auditing process are also just plain shit.

      I'm not saying they shouldn't be checking, but they have a lot more problems if they can't verify such a simple thing with an equally simple audit
      • by Corbets ( 169101 )

        The visibility into the IT estate varies a lot from company to company. However, I’ve found that in most cases, IT and security will have a pretty good visibility into what’s installed on servers and where. Usage, on the other hand, can be more problematic - some companies struggled to understand where print queues were used this summer, making it difficult to tell whether PrintNightmare was exposing them or not. Same with log4j in some cases.

        But where the real challenge comes in is with contain

        • Containers are no different from having a separate machine. If you can audit separate machines, then you can audit containers and VMs and their guests. There's nothing about a container that is so different from a separate machine that the same automated process can't be installed in them. What kind of company can't get access to inside their own containers? In fact, it should be easier.
        • The contents of a container is written in plain english, ASCII or Unicode, in an Kybernetes, Ansible, Muppet etc. p.p. description file. You pretty well know what is inside of the container. Worst case you SSH into it and use your bash fu.

      • by Junta ( 36770 )

        The issue is a panicked bureaucracy does weird things.

        In our case, there are 4 interested parties: corporate IT, a wholly independent IT group of our division that basiccally was our executives making their own because corp IT wouldn't support a lot of what we wanted to do, a security auditing team independent of both of those that usually supervises groups security practices, but largely lets them self manage, and my own team, which develops software for customers and frankly does a little 'shadow IT' of o

    • It's not just Websockets, there are a million other Internet protocols that can have the client (victim) send traffic to arbitrary addresses and ports on behalf of an attacker. My favourite one is certificates, you can use those to probe internal networks if you can convince a victim to connect to your server, so just starting the SSL handshake gets you (admittedly somewhat constrained) access to the internal network they're coming from.

      So "firewall off your Java crap" doesn't work. It stops the direct,

      • by Junta ( 36770 )

        In the case of log4j, we aren't "firewalling off our java crap", we don't even have a JRE in anything we are responsible for. It happens to be that none of our software nor our dependencies happened to require java. This panicked auditing is narrowly focused on log4j, there's a background level of security processes intended to generally handle the myriad of industry wide security risks that don't land on news sites the executives read.

      • Got any links to that explains this SSL issue? I would like to know more
        • PKI standards are written to be flexible enough to allow almost anything. In particular, the 7 million hacks that exist for revocation checking allow the cert to specify which address and port it wants a victim to visit for the revocation check, sort of a "go to this host/address and poke this port for the revocation check". So if the victim's network is 192.168.1.x you issue a cert that directs the victim to 192.168.1.1, then 192.168.1.2, etc until they've scanned their entire subnet for you. Once you k

  • apt remove liblog4j1.2-java

    This is fine for this server because it isn't serving anything via Java, lucky me.

  • How come this was published before people had the time to patch it?
  • Not a new exploit (Score:4, Informative)

    by El_Muerte_TDS ( 592157 ) on Saturday December 18, 2021 @01:50AM (#62093245) Homepage

    It depends on the `${jndi:...}` issue.

  • by peppepz ( 1311345 ) on Saturday December 18, 2021 @02:20AM (#62093279)
    It's not a new bug. It's a different exploit of the old one.
  • Update Java (Score:2, Informative)

    by bradley13 ( 1118935 )
    It remains the case that Java versions since

    J8u181 have disabled the JNDI/LDAP functionality required by this exploit. If your Java has been updated in the past three years, you should be ok. Of course, you still need to update log4j.

    • by Anonymous Coward

      Sadly this isn't 100% true, the RCE has been replicated in supposedly secure versions of Java in conjunction with the insecure version of log4j2.

  • > The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads.

    "No client control" is misleading. A client that blocks JavaScript will not issue a JavaScript WebSocket request in the first place, and hence the connection can NOT "silently start" when a web page loads.

    (this may stop some functions of the web page from working, which -- in this case -- may be a good thing)

  • Help me understand this. Default behaviour of a logging module is to open an unprotected listening websocket whenever a web page loads.

Genius is ten percent inspiration and fifty percent capital gains.

Working...