Fork me on GitHub
#clojure-europe
<
2021-12-11
>
genRaiy08:12:33

mongo roding

genRaiy08:12:49

Rode (verb): (of the male woodcock) to perform a display flight at dusk during the breeding season

genRaiy08:12:33

You when you’re convincing the team to try a webscale DB in the morning

😂 2
orestis11:12:24

Good morning! I spent a Saturday morning in a hotel room in Copenhagen ensuring that our upgrade to log4j indeed works :)

pez13:12:36

What does an attempt look like?

orestis15:12:40

The command to make sure it actually passes through is: curl -v -A 'foo ${jndi:<ldap://127.0.0.1/test|ldap://127.0.0.1/test>} bar' 'https://your-server/$%5C%7Bjndi:ldap://127.0.0.1/test%5C%7D'

orestis15:12:00

If you are not vulnerable you will see the user agent and the path logged as-is

orestis15:12:24

If you are you will see an exception in the logs about not being able to connect via JNDI to that server

orestis15:12:58

If you log with defaults with Nginx you should see the attempts in access.log

orestis15:12:21

You can use that curl command to simulate a harmless attack

orestis15:12:26

We use pedestal and the default configuration is to only log paths, not user agents. The most attempts involved UA strings and the only attempts that dealt with paths didn't get the escaping right

orestis15:12:54

We had the mitigation in place before the floodgates opened, luckily.

orestis11:12:46

Scary to see a flood of attempts since yesterday.

lread15:12:45

gogo dorm inn