ST Alpha - "A java logging library has a vulnerability. Basically ANY end user data logged by a system can cause the library to do a "java thing" and ask a " (Reading a Post)

Down to Post

Backboards:

Posts: 153

In response to "so what's the issue? dumb it down for someone who hasn't read anything about this please -- nm" by Beaker

A java logging library has a vulnerability. Basically ANY end user data logged by a system can cause the library to do a "java thing" and ask a

Posted by oblique (aka kkuphal) Dec 14 '21, 06:18

remote server for a payload. That payload is executed as code. The best example I've seen is Apple being vulnerable to have their internal iCloud servers compromised because someone changed the name in their iPhone

It is a wicked vulnerability that is insanely pervasive because the logging library is used extensively by a shit ton of products

https://www.macworld.com/article/559108/icloud-patch-log4shell-exploit.html (www.macworld.com)

Responses:

Not dumb enough for me. -- nm - Volnelk Dec 14, 06:19 9
- heh, word -- nm - Beaker Dec 14, 06:31 1
  - The master key to the bank vault door is available online, so they cemented the door to the bank instead. -- nm - JaxSean Dec 14, 06:35
- bad code lets bad people steal all the personal sh!t from lots of sites or shut those sites down using ransomware -- nm - decline Dec 14, 06:24 4
  - you just described the entire internet -- nm - oblique Dec 14, 06:25 3
    - Right? This seems like a very level one type of problem. -- nm - Volnelk Dec 14, 06:31 2
      - There’s an exploit found in one of the foundational languages of the Internet. Everyone with Java is highly vulnerable, so just about e’eyone. -- nm - Will Hunting Dec 14, 06:43 1
        
        Don't mind me. I knew we were all fucked. -- nm - e’eyone the donkey Dec 14, 08:39
- Any data written to a log can cause the logging server to ask to be taken over - oblique Dec 14, 06:23
- Everything done in a system is logged. The logs have a vulnerability. You do something, it’s logged, it executes anything you want it too -- nm - spamlet Dec 14, 06:22

Post a message top

A java logging library has a vulnerability. Basically ANY end user data logged by a system can cause the library to do a "java thing" and ask a

Replies are disabled on threads older than 7 days.