Log4J Fiasco - Are normal users in trouble too?

Hey guys I hope you are all well. There is this new nasty vulnerability in Java, which by nature of it being crossplatform, affects a lot of the stuff we use, particularly in the homelab. So reddit has this list that basically says if you are running or maybe even using Java applications that have access to the internet, you could be in severe trouble because it affects ALL Java versions after all.

Heads up guys if you are using:

Unifi
Elastic
Minecraft
TP-Link stuff
VM Ware
Docker
Backblaze

All these are affected so far and needs to be patched. I think docker has a issued scanning tool but people are saying it is broken as of writing this.

Makes me wonder about the security of abandoned Android and iOS apps out there. Please post if there are other known affected apps/servers programs.

Stay safe and patch up.


EDIT:

I have found a larger list, which includes enterprise stuff over on bleepingcomputers.

2 Likes

From what I have read, it only affects log4j version 2.

Most threat actors are looking for corporate vulnerabilities where the data they might get at is more valuable, but that doesn’t mean that end users are not vulnerable.

There is an easy fix to block the vulnerability.

Ive read somewhere (cant recall exactly) that all versions are affected but with a slightly lesser degree of severity.

I do not even have that package installed on my system.

From my limited understanding, its a library so it could actually be stashed in a lot of places, not just actual packages

1 Like

Can’t speak for end users, but my work is going absolutely apeshit getting things patched this week.

3 Likes

here are 2 lists that people from the security community are referencing for lists of affected products:

  • https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#affected-products
  • https://github.com/NCSC-NL/log4shell/tree/main/software (src: https://twitter.com/HackingDave/status/1470805623415713806?t=HVZL_UXpaE7JatZU-WxPdQ&s=19)

The last one is actually taking statements from vendors as well, and saving screenshots from them: https://github.com/NCSC-NL/log4shell/tree/main/software/vendor-statements :sweat_smile:

PS, sorry I can’t post links yet: https://discourse.destinationlinux.network/t/discourse-post-issue-images-link/4594?u=elrey741 :sweat_smile:

1 Like