Info-Apache Log4j Remote Code Execution Vulnerability in thousands of servers

glasskuter

Well-known member
Power User
VIP
Local time
2:36 AM
Posts
644
Location
The Lone Star State of Texas
OS
Windows 11 Pro 21H2 22000.438
According to recent articles, "hundreds of millions" of internet-connected devices and services are vulnerable to hackers because of a newly discovered security flaw in a widely used piece of computer code used by many servers. The vulnerability is found in log4j, an open-source, java based, Apache logging library used by apps and services across the internet, many which are used by the federal government. It could allow hackers to run malicious code on targeted computer systems for purposes including espionage and ransomware .

According to the experts, generally speaking any consumer device that uses a web server could be running Apache. It is widely used in devices like smart TVs, DVR systems and security cameras. The government and Microsoft are scrambling to identify the many servers involved.

So far, Microsoft has found this vulnerability in its own products, Azure Spring Cloud, Azure Databricks, Azure DevOps and Minecraft. MS patched their Minecraft server, but it still exists in non-Microsoft hosted Minecraft servers. CVE-2021-44228 - Security Update Guide - Microsoft - Apache Log4j Remote Code Execution Vulnerability addresses the MS servers identified so far that require customer action.

All that said, can someone answer 2 questions for me. Java code has caused security problems for years. Why is it still allowed to be used? And why in the world would our government, Microsoft, and Security companies give a heads up to all the hackers out there that the flaw exists in the first place before it is fully mitigated? It’s like saying “Exploit me!” Makes no sense to me.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro 21H2 22000.438
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900
    Memory
    32 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    standard
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Antivirus
    Defender+MWB Premium

BunnyJ

Python Programmer
Pro User
VIP
Local time
3:36 AM
Posts
4,233
Location
Oak Ridge, TN(The Secret City)
OS
Windows 11 Home 22538.1010
Well.. Java is popular and many people use it. The question should be why would anyone use it in critical systems since it has a long history of vulnerabilities. Part two.. the hacker(s) knew about this before anyone made an announcement about the issue. Trust me.. hackers are miles ahead of the Gov etc. :cool:
 

My Computer

System One

  • OS
    Windows 11 Home 22538.1010
    Computer type
    PC/Desktop
    Manufacturer/Model
    Banna Junior 7000 - X Series
    CPU
    Ryzen 7 2700X
    Motherboard
    Asus Crosshair VII Hero, X470
    Memory
    Gskill 32GB, 16GBX2 PC3000
    Graphics Card(s)
    GeForce GTX TITAN X 12GB
    Sound Card
    Realtek (R) Audio
    Monitor(s) Displays
    Viotek 32" Curved, ViewSonic 27"
    Screen Resolution
    1080P
    Hard Drives
    Primary Samsung 256 SSD
    PSU
    EVGA BQ 700w 80+ Bronze
    Case
    NZXT 510
    Cooling
    Stock AMD cooler
    Keyboard
    Corsair
    Mouse
    Amazon Generic with Cord
    Internet Speed
    Download: 350.50 mbps Upload: 12.02 mbps Ping: 15ms
    Browser
    Firefox, Chrome and Edge
    Antivirus
    MS - Defender

BunnyJ

Python Programmer
Pro User
VIP
Local time
3:36 AM
Posts
4,233
Location
Oak Ridge, TN(The Secret City)
OS
Windows 11 Home 22538.1010
One more thought.. the other reason Java is used is because it's a great cross platform language. You can basically code it one time and run it just about anywhere. This makes life easier for developers but in this case I believe the code hasn't been maintained properly hence this issue.

Is java better now in terms of vulnerability? Yes.. but it's far from as good as it should be. IMO.
 

My Computer

System One

  • OS
    Windows 11 Home 22538.1010
    Computer type
    PC/Desktop
    Manufacturer/Model
    Banna Junior 7000 - X Series
    CPU
    Ryzen 7 2700X
    Motherboard
    Asus Crosshair VII Hero, X470
    Memory
    Gskill 32GB, 16GBX2 PC3000
    Graphics Card(s)
    GeForce GTX TITAN X 12GB
    Sound Card
    Realtek (R) Audio
    Monitor(s) Displays
    Viotek 32" Curved, ViewSonic 27"
    Screen Resolution
    1080P
    Hard Drives
    Primary Samsung 256 SSD
    PSU
    EVGA BQ 700w 80+ Bronze
    Case
    NZXT 510
    Cooling
    Stock AMD cooler
    Keyboard
    Corsair
    Mouse
    Amazon Generic with Cord
    Internet Speed
    Download: 350.50 mbps Upload: 12.02 mbps Ping: 15ms
    Browser
    Firefox, Chrome and Edge
    Antivirus
    MS - Defender

glasskuter

Well-known member
Power User
VIP
Thread Starter
Local time
2:36 AM
Posts
644
Location
The Lone Star State of Texas
OS
Windows 11 Pro 21H2 22000.438
hackers are miles ahead of the Gov
They don't have to be traveling very fast to stay ahead of OUR government. Too much talk, not enough action.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 21H2 22000.438
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900
    Memory
    32 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    standard
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Antivirus
    Defender+MWB Premium

BunnyJ

Python Programmer
Pro User
VIP
Local time
3:36 AM
Posts
4,233
Location
Oak Ridge, TN(The Secret City)
OS
Windows 11 Home 22538.1010
They don't have to be traveling very fast to stay ahead of OUR government. Too much talk, not enough action.
Well.. the gov can't test every bit of code for vulnerabilities.
 

My Computer

System One

  • OS
    Windows 11 Home 22538.1010
    Computer type
    PC/Desktop
    Manufacturer/Model
    Banna Junior 7000 - X Series
    CPU
    Ryzen 7 2700X
    Motherboard
    Asus Crosshair VII Hero, X470
    Memory
    Gskill 32GB, 16GBX2 PC3000
    Graphics Card(s)
    GeForce GTX TITAN X 12GB
    Sound Card
    Realtek (R) Audio
    Monitor(s) Displays
    Viotek 32" Curved, ViewSonic 27"
    Screen Resolution
    1080P
    Hard Drives
    Primary Samsung 256 SSD
    PSU
    EVGA BQ 700w 80+ Bronze
    Case
    NZXT 510
    Cooling
    Stock AMD cooler
    Keyboard
    Corsair
    Mouse
    Amazon Generic with Cord
    Internet Speed
    Download: 350.50 mbps Upload: 12.02 mbps Ping: 15ms
    Browser
    Firefox, Chrome and Edge
    Antivirus
    MS - Defender

glasskuter

Well-known member
Power User
VIP
Thread Starter
Local time
2:36 AM
Posts
644
Location
The Lone Star State of Texas
OS
Windows 11 Pro 21H2 22000.438
@BunnyJ You're the coder so I lean to your expert wisdom. :LOL:
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 21H2 22000.438
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900
    Memory
    32 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 m.2 2230-256+1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 21H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    standard
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Antivirus
    Defender+MWB Premium

BunnyJ

Python Programmer
Pro User
VIP
Local time
3:36 AM
Posts
4,233
Location
Oak Ridge, TN(The Secret City)
OS
Windows 11 Home 22538.1010

My Computer

System One

  • OS
    Windows 11 Home 22538.1010
    Computer type
    PC/Desktop
    Manufacturer/Model
    Banna Junior 7000 - X Series
    CPU
    Ryzen 7 2700X
    Motherboard
    Asus Crosshair VII Hero, X470
    Memory
    Gskill 32GB, 16GBX2 PC3000
    Graphics Card(s)
    GeForce GTX TITAN X 12GB
    Sound Card
    Realtek (R) Audio
    Monitor(s) Displays
    Viotek 32" Curved, ViewSonic 27"
    Screen Resolution
    1080P
    Hard Drives
    Primary Samsung 256 SSD
    PSU
    EVGA BQ 700w 80+ Bronze
    Case
    NZXT 510
    Cooling
    Stock AMD cooler
    Keyboard
    Corsair
    Mouse
    Amazon Generic with Cord
    Internet Speed
    Download: 350.50 mbps Upload: 12.02 mbps Ping: 15ms
    Browser
    Firefox, Chrome and Edge
    Antivirus
    MS - Defender

iko22

Well-known member
Member
VIP
Local time
8:36 AM
Posts
554
Location
South West England
OS
Windows 10
Why is it still allowed to be used?
Because the Java Virtual Machine allows portable client-server code to be written for many OSes (cross-platform development as @BunnyJ calls it). Microsoft have their own CLR (Common Language Runtime), so why do they not use it instead of Java SE? Turns out that Oracle Java and MS CLR implement the same standard. See next question for details.
And why in the world would our government, Microsoft, and Security companies give a heads up to all the hackers out there that the flaw exists in the first place before it is fully mitigated?

The standard originates in Europe. The ECMA (European Computer Manufacturers Association) wrote the ECMAscript (aka Java Script) standard, which is still being updated regularly.

Security flaws appear everywhere these days, from OSes, Applications, Client-side computing, Microprocessors, to BIOSes and TPM modules!!!

You may wish to view this article, written in 2015, which addresses similar questions about client-side computing, that this thread asks today:

Why Java is a “big deal”
Understanding Java
The brief anatomy of a Java exploit

...
So how do you protect yourself from cyber threats targeting Java?
Source:
Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer?
Hope that helps!!!
 

My Computer

System One

  • OS
    Windows 10
    CPU
    TBA
    Motherboard
    TBA

BunnyJ

Python Programmer
Pro User
VIP
Local time
3:36 AM
Posts
4,233
Location
Oak Ridge, TN(The Secret City)
OS
Windows 11 Home 22538.1010
Because the Java Virtual Machine allows portable client-server code to be written for many OSes (cross-platform development as @BunnyJ calls it). Microsoft have their own CLR (Common Language Runtime), so why do they not use it instead of Java SE? Turns out that Oracle Java and MS CLR implement the same standard. See next question for details.


The standard originates in Europe. The ECMA (European Computer Manufacturers Association) wrote the ECMAscript (aka Java Script) standard, which is still being updated regularly.

Security flaws appear everywhere these days, from OSes, Applications, Client-side computing, Microprocessors, to BIOSes and TPM modules!!!

You may wish to view this article, written in 2015, which addresses similar questions about client-side computing, that this thread asks today:


Hope that helps!!!
JavaScript isn't Java..
 

My Computer

System One

  • OS
    Windows 11 Home 22538.1010
    Computer type
    PC/Desktop
    Manufacturer/Model
    Banna Junior 7000 - X Series
    CPU
    Ryzen 7 2700X
    Motherboard
    Asus Crosshair VII Hero, X470
    Memory
    Gskill 32GB, 16GBX2 PC3000
    Graphics Card(s)
    GeForce GTX TITAN X 12GB
    Sound Card
    Realtek (R) Audio
    Monitor(s) Displays
    Viotek 32" Curved, ViewSonic 27"
    Screen Resolution
    1080P
    Hard Drives
    Primary Samsung 256 SSD
    PSU
    EVGA BQ 700w 80+ Bronze
    Case
    NZXT 510
    Cooling
    Stock AMD cooler
    Keyboard
    Corsair
    Mouse
    Amazon Generic with Cord
    Internet Speed
    Download: 350.50 mbps Upload: 12.02 mbps Ping: 15ms
    Browser
    Firefox, Chrome and Edge
    Antivirus
    MS - Defender
Top Bottom