Anyone else spend all weekend mitigating the Log4J vulnerability?

[tomq_123]

This thing is crazy. We've had to update all our applications directly to both Log4J v. 2.15 and add in the JAVA_OPTS: -Dlog4j2.formatMsgNoLookups=true to all our applications. Hardest part has been tracing downstream dependencies that might run on the same JVM (AppD, NewRelic, Datadog, etc....). Plus, we are now finding that our NodeJS apps might also be vulnerable due to downstream dependency agents.

 

[hog88]

You might try posting in english.

 

[GoVols1998Yeah!]

This thing is crazy. We've had to update all our applications directly to both Log4J v. 2.15 and add in the JAVA_OPTS: -Dlog4j2.formatMsgNoLookups=true to all our applications. Hardest part has been tracing downstream dependencies that might run on the same JVM (AppD, NewRelic, Datadog, etc....). Plus, we are now finding that our NodeJS apps might also be vulnerable due to downstream dependency agents.

None of my applications had to be updated, but the company I work for does have a handful that use NodeJS. Can you elaborate on the downstream NodeJS vulnerabilities?

 

[tomq_123]

None of my applications had to be updated, but the company I work for does have a handful that use NodeJS. Can you elaborate on the downstream NodeJS vulnerabilities?

Mostly AddDynamics, NewRelic,Datadog services running in same server/container instance.

 

[GoVols1998Yeah!]

Mostly AddDynamics, NewRelic,Datadog services running in same server instance.

Thanks. The new guy has the NodeJS apps and my boss is probably on top of it, but it's better safe than sorry.

 

[Wireless1]

So for us common people, who just got access to what, and what’s it going to cost me?

 

[tomq_123]

So for us common people, who just got access to what, and what’s it going to cost me?

Interestingly, the initial hack was found via gaining complete and uncontrolled access to a Minecraft server via this exploit. The hacker was able to run commands on the server via the Minecraft chat function (i.e. Delete all files, install this malware, etc...). Log4J is a free and opensource Java programming library (it allows programmers to write logs on what is happening in their applications) and it has been around a very long time and is used almost everywhere Java is used (which is still a lot).

 

[GASOUTHERNVOL]

This thing is crazy. We've had to update all our applications directly to both Log4J v. 2.15 and add in the JAVA_OPTS: -Dlog4j2.formatMsgNoLookups=true to all our applications. Hardest part has been tracing downstream dependencies that might run on the same JVM (AppD, NewRelic, Datadog, etc....). Plus, we are now finding that our NodeJS apps might also be vulnerable due to downstream dependency agents.

Are you trying to summon a demon or something?

 

[GoVols1998Yeah!]

Are you trying to summon a demon or something?

I think the idea is to protect the daemons that have already been summoned.

 

[GASOUTHERNVOL]

I think the idea is to protect the daemons that have already been summoned.

Keep them fro getting passed the hellfire wall...

 

[CopperHead_Vol]

Dealing with it now across 30+ gov customer environments. zero sleep last night....

 

[vader]

 

[GASOUTHERNVOL]

Some kind of hibbidy jibbidy.

 

[Wireless1]

Interestingly, the initial hack was found via gaining complete and uncontrolled access to a Minecraft server via this exploit. The hacker was able to run commands on the server via the Minecraft chat function (i.e. Delete all files, install this malware, etc...). Log4J is a free and opensource Java programming library (it allows programmers to write logs on what is happening in their applications) and it has been around a very long time and is used almost everywhere Java is used (which is still a lot).

So are the Chinese poised to take down our electrical grid as a result, or did all the gamers just lose their high scores?

 

[tomq_123]

So are the Chinese poised to take down our electrical grid as a result, or did all the gamers just lose their high scores?

They can do that anytime they want, regardless of this issue.

 

[tomq_123]

Dealing with it now across 30+ gov customer environments. zero sleep last night....

Sorry to hear that man. Hopefully you are getting paid overtime (I did not).

 

[CopperHead_Vol]

Sorry to hear that man. Hopefully you are getting paid overtime (I did not).

I wish.... going on 29hrs straight. need a pint of shine and a nap...

 

[superdave1984]

I mitigated mine in about 10 minutes. I only have two systems that I am responsible for that had it.

 

[LittleVol]

They can do that anytime they want, regardless of this issue.

You're giving the Chinese far too much credit.

 

[Hurley Mooncalf]

It created a crap ton of work for us. I worked probably 10 hours over last week and abandoned everything else pretty much on my schedule during the week to work on it. That's one of those I would love to run into the sum bitch that came up with it and knock the &^%$ out of 'em.

 

[VolInNorthCack]

It didn't affect me, but our developers and dba's have been working overtime.

 

[Tin Man]

This thing is crazy. We've had to update all our applications directly to both Log4J v. 2.15 and add in the JAVA_OPTS: -Dlog4j2.formatMsgNoLookups=true to all our applications. Hardest part has been tracing downstream dependencies that might run on the same JVM (AppD, NewRelic, Datadog, etc....). Plus, we are now finding that our NodeJS apps might also be vulnerable due to downstream dependency agents.

Sympathies