Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

win-nt from the people who invented edlin. -- MaDsen Wikholm, mwikholm@at8.abo.fi

computers / comp.os.vms / Issues now found in log4j version 1

SubjectAuthor
* Issues now found in log4j version 1Simon Clubley
+* Re: Issues now found in log4j version 1Arne Vajhøj
|`* Re: Issues now found in log4j version 1Simon Clubley
| `* Re: Issues now found in log4j version 1Arne Vajhøj
|  `* Re: Issues now found in log4j version 1Simon Clubley
|   `* Re: Issues now found in log4j version 1Arne Vajhøj
|    `- Re: Issues now found in log4j version 1Simon Clubley
`- Re: Issues now found in log4j version 1Scott Dorsey

1
Issues now found in log4j version 1

<stro2b$jg1$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20694&group=comp.os.vms#20694

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Issues now found in log4j version 1
Date: Mon, 7 Feb 2022 18:23:07 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <stro2b$jg1$1@dont-email.me>
Injection-Date: Mon, 7 Feb 2022 18:23:07 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="09aef0b6a1a888d778ea0305c7d13b6a";
logging-data="19969"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+ZUNEhFQwrUKjtgK5JNlKVba8C8S15LZA="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:qtV4qasChOA3eWVLI/YFcZBaV74=
 by: Simon Clubley - Mon, 7 Feb 2022 18:23 UTC

Issues have now been found in version 1 of log4j. This is the older
version that was previously not considered to be vulnerable.

Details in:

https://access.redhat.com/errata/RHSA-2022:0442

I wonder when the next logging vulnerability will be found and if
it will be log4j or something else ?

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

Re: Issues now found in log4j version 1

<62016a0b$0$702$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20695&group=comp.os.vms#20695

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Mon, 7 Feb 2022 13:50:51 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.5.1
Subject: Re: Issues now found in log4j version 1
Content-Language: en-US
Newsgroups: comp.os.vms
References: <stro2b$jg1$1@dont-email.me>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <stro2b$jg1$1@dont-email.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 38
Message-ID: <62016a0b$0$702$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 5829d05a.news.sunsite.dk
X-Trace: 1644259851 news.sunsite.dk 702 arne@vajhoej.dk/68.9.63.232:52441
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Mon, 7 Feb 2022 18:50 UTC

On 2/7/2022 1:23 PM, Simon Clubley wrote:
> Issues have now been found in version 1 of log4j. This is the older
> version that was previously not considered to be vulnerable.
>
> Details in:
>
> https://access.redhat.com/errata/RHSA-2022:0442

The older version that reached project EOL in 2015.

Redhat has released a fix anyway.

The 3 issues cover:
* JDBC appender (application slogging to database)
* JMS sink tool that process log events from MQ (put there by JMS appender)
* Chainsaw that is a GUI to view and search log files

All 3 may be somewhat rare cases. But if number of application using
log4j 1.x are measured in hundreds of thousands then a vulnerability
only impacting 1% of users is still a lot of users.

> I wonder when the next logging vulnerability will be found and if
> it will be log4j or something else ?

Classic question: if you have found a lot of bugs in a program do you
assume there are still many bugs to be found (due to poor quality) or
few bugs to be found (because the bugs have been found)?

There are plenty of other logging frameworks out there.

Java: jul, logback etc.
..NET: log4net, NLog etc.
PHP: log4php, Monolog etc.
Etc.

Arne

Re: Issues now found in log4j version 1

<sttss6$njr$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20698&group=comp.os.vms#20698

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Re: Issues now found in log4j version 1
Date: Tue, 8 Feb 2022 13:57:26 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <sttss6$njr$1@dont-email.me>
References: <stro2b$jg1$1@dont-email.me> <62016a0b$0$702$14726298@news.sunsite.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 8 Feb 2022 13:57:26 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="db180f2b2a9d199bf537938f5d238397";
logging-data="24187"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1//kZcRvC3UL+WprqKoNE9EOBJQMwq97dQ="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:YjoIAqRcxRS/ARK7KP9w4Ea+6mE=
 by: Simon Clubley - Tue, 8 Feb 2022 13:57 UTC

On 2022-02-07, Arne Vajhøj <arne@vajhoej.dk> wrote:
> On 2/7/2022 1:23 PM, Simon Clubley wrote:
>> Issues have now been found in version 1 of log4j. This is the older
>> version that was previously not considered to be vulnerable.
>>
>> Details in:
>>
>> https://access.redhat.com/errata/RHSA-2022:0442
>
> The older version that reached project EOL in 2015.
>
> Redhat has released a fix anyway.
>

When you consider that Redhat routinely backport security fixes to
older versions of software, that's probably not as unusual as it seems.

>
> There are plenty of other logging frameworks out there.
>
> Java: jul, logback etc.
> .NET: log4net, NLog etc.
> PHP: log4php, Monolog etc.
> Etc.
>

In addition to those, there are also the public facing loggers that
exist within an operating system itself.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

Re: Issues now found in log4j version 1

<sttt10$8ue$1@panix2.panix.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20699&group=comp.os.vms#20699

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!panix!.POSTED.panix2.panix.com!panix2.panix.com!not-for-mail
From: klu...@panix.com (Scott Dorsey)
Newsgroups: comp.os.vms
Subject: Re: Issues now found in log4j version 1
Date: 8 Feb 2022 14:00:00 -0000
Organization: Former users of Netcom shell (1989-2000)
Lines: 10
Message-ID: <sttt10$8ue$1@panix2.panix.com>
References: <stro2b$jg1$1@dont-email.me>
Injection-Info: reader1.panix.com; posting-host="panix2.panix.com:166.84.1.2";
logging-data="14035"; mail-complaints-to="abuse@panix.com"
 by: Scott Dorsey - Tue, 8 Feb 2022 14:00 UTC

Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>
>I wonder when the next logging vulnerability will be found and if
>it will be log4j or something else ?

"What ye code in haste ye shall reap in endless patches."
-- St. Presper's Admonition to the Algolites

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Re: Issues now found in log4j version 1

<62028728$0$692$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20700&group=comp.os.vms#20700

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Tue, 8 Feb 2022 10:07:13 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.5.1
Subject: Re: Issues now found in log4j version 1
Content-Language: en-US
Newsgroups: comp.os.vms
References: <stro2b$jg1$1@dont-email.me>
<62016a0b$0$702$14726298@news.sunsite.dk> <sttss6$njr$1@dont-email.me>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <sttss6$njr$1@dont-email.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 39
Message-ID: <62028728$0$692$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 607b08e5.news.sunsite.dk
X-Trace: 1644332840 news.sunsite.dk 692 arne@vajhoej.dk/68.9.63.232:53009
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Tue, 8 Feb 2022 15:07 UTC

On 2/8/2022 8:57 AM, Simon Clubley wrote:
> On 2022-02-07, Arne Vajhøj <arne@vajhoej.dk> wrote:
>> On 2/7/2022 1:23 PM, Simon Clubley wrote:
>>> Issues have now been found in version 1 of log4j. This is the older
>>> version that was previously not considered to be vulnerable.
>>>
>>> Details in:
>>>
>>> https://access.redhat.com/errata/RHSA-2022:0442
>>
>> The older version that reached project EOL in 2015.
>>
>> Redhat has released a fix anyway.
>
> When you consider that Redhat routinely backport security fixes to
> older versions of software, that's probably not as unusual as it seems.

True.

But the users of log4j 1.x has accepted a risk
by using an EOL product and bot all of them are
Redhat customers.

>> There are plenty of other logging frameworks out there.
>>
>> Java: jul, logback etc.
>> .NET: log4net, NLog etc.
>> PHP: log4php, Monolog etc.
>> Etc.
>
> In addition to those, there are also the public facing loggers that
> exist within an operating system itself.

You mean Windows event log, *nix syslog, VMS various (operator log,
audit log etc.)?

Arne

Re: Issues now found in log4j version 1

<stucob$bdg$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20710&group=comp.os.vms#20710

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Re: Issues now found in log4j version 1
Date: Tue, 8 Feb 2022 18:28:27 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 29
Message-ID: <stucob$bdg$1@dont-email.me>
References: <stro2b$jg1$1@dont-email.me> <62016a0b$0$702$14726298@news.sunsite.dk> <sttss6$njr$1@dont-email.me> <62028728$0$692$14726298@news.sunsite.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 8 Feb 2022 18:28:27 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="db180f2b2a9d199bf537938f5d238397";
logging-data="11696"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/8Dy06boX0BIfSL4esi8fbV4T6jRzkJCM="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:wZeHCWaJbiIvuwhcerblylRvOrQ=
 by: Simon Clubley - Tue, 8 Feb 2022 18:28 UTC

On 2022-02-08, Arne Vajhøj <arne@vajhoej.dk> wrote:
> On 2/8/2022 8:57 AM, Simon Clubley wrote:
>> On 2022-02-07, Arne Vajhøj <arne@vajhoej.dk> wrote:
>>> There are plenty of other logging frameworks out there.
>>>
>>> Java: jul, logback etc.
>>> .NET: log4net, NLog etc.
>>> PHP: log4php, Monolog etc.
>>> Etc.
>>
>> In addition to those, there are also the public facing loggers that
>> exist within an operating system itself.
>
> You mean Windows event log, *nix syslog, VMS various (operator log,
> audit log etc.)?
>

Yes. Those do processing of untrusted data and could be nice targets
for probing, especially those that can be reached via a network port.

If previous security events are anything to go by, there's now going
to be a good number of people looking at logging in general now that
researchers have had a high-profile success with log4j.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

Re: Issues now found in log4j version 1

<6202bdaf$0$700$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20711&group=comp.os.vms#20711

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Tue, 8 Feb 2022 13:59:53 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.5.1
Subject: Re: Issues now found in log4j version 1
Content-Language: en-US
Newsgroups: comp.os.vms
References: <stro2b$jg1$1@dont-email.me>
<62016a0b$0$702$14726298@news.sunsite.dk> <sttss6$njr$1@dont-email.me>
<62028728$0$692$14726298@news.sunsite.dk> <stucob$bdg$1@dont-email.me>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <stucob$bdg$1@dont-email.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 30
Message-ID: <6202bdaf$0$700$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 3975a277.news.sunsite.dk
X-Trace: 1644346800 news.sunsite.dk 700 arne@vajhoej.dk/68.9.63.232:65142
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Tue, 8 Feb 2022 18:59 UTC

On 2/8/2022 1:28 PM, Simon Clubley wrote:
> On 2022-02-08, Arne Vajhøj <arne@vajhoej.dk> wrote:
>> On 2/8/2022 8:57 AM, Simon Clubley wrote:
>>> On 2022-02-07, Arne Vajhøj <arne@vajhoej.dk> wrote:
>>>> There are plenty of other logging frameworks out there.
>>>>
>>>> Java: jul, logback etc.
>>>> .NET: log4net, NLog etc.
>>>> PHP: log4php, Monolog etc.
>>>> Etc.
>>>
>>> In addition to those, there are also the public facing loggers that
>>> exist within an operating system itself.
>>
>> You mean Windows event log, *nix syslog, VMS various (operator log,
>> audit log etc.)?
>
> Yes. Those do processing of untrusted data and could be nice targets
> for probing, especially those that can be reached via a network port.
>
> If previous security events are anything to go by, there's now going
> to be a good number of people looking at logging in general now that
> researchers have had a high-profile success with log4j.

Likely.

But I suspect they will not do as much crazy stuff as log4j.

Arne

Re: Issues now found in log4j version 1

<su0fin$32c$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=20718&group=comp.os.vms#20718

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Re: Issues now found in log4j version 1
Date: Wed, 9 Feb 2022 13:28:56 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 28
Message-ID: <su0fin$32c$1@dont-email.me>
References: <stro2b$jg1$1@dont-email.me> <62016a0b$0$702$14726298@news.sunsite.dk> <sttss6$njr$1@dont-email.me> <62028728$0$692$14726298@news.sunsite.dk> <stucob$bdg$1@dont-email.me> <6202bdaf$0$700$14726298@news.sunsite.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 9 Feb 2022 13:28:56 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="86c7582082b206ffc8734e3f216718f0";
logging-data="3148"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18OqA9VAZpInH9niKCy7LG9qiP9xNtkqZ4="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:uBhSizz+pSL3lzqGWm67ijzGusY=
 by: Simon Clubley - Wed, 9 Feb 2022 13:28 UTC

On 2022-02-08, Arne Vajhøj <arne@vajhoej.dk> wrote:
> On 2/8/2022 1:28 PM, Simon Clubley wrote:
>> On 2022-02-08, Arne Vajhøj <arne@vajhoej.dk> wrote:
>>>
>>> You mean Windows event log, *nix syslog, VMS various (operator log,
>>> audit log etc.)?
>>
>> Yes. Those do processing of untrusted data and could be nice targets
>> for probing, especially those that can be reached via a network port.
>>
>> If previous security events are anything to go by, there's now going
>> to be a good number of people looking at logging in general now that
>> researchers have had a high-profile success with log4j.
>
> Likely.
>
> But I suspect they will not do as much crazy stuff as log4j.
>

There are many different kinds of "crazy", Arne. :-)

Will be interesting to see what turns up.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor