Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
12-12-2021, 01:56 AM   #1
Pentaxian




Join Date: Dec 2011
Posts: 3,112
Critical security threat - Log4j - older Adobe Software uses that

There is a very broad and critical (highest level possible) security issue out there:

Log4Shell: critical vulnerability in Apache Log4j | Kaspersky official blog

https://www.itworldcanada.com/article/it-could-take-years-for-applications-u...-expert/468238

While one might want to believe "servers" are just computing center and company stuff, it is not that easy.

A simple check on my windows machine searching for filenames "log4j" brought up some older Adobe products which phone home using server functionalities ("CSxService manager") and do employ that component.

For windows users I suggest doing a thorough filename search for "log4j".

The portable/non-install software called "everything" is pretty good and fast for hunting files IMHO. voidtools

12-12-2021, 02:06 AM   #2
dlhawes
Guest




Thank you for relaying that information!
12-12-2021, 02:26 AM - 1 Like   #3
Moderator
Site Supporter
Loyal Site Supporter
MarkJerling's Avatar

Join Date: May 2012
Location: Wairarapa, New Zealand
Photos: Gallery | Albums
Posts: 20,391
Voidtools is considered unsafe on my Windows 10 machine.
12-12-2021, 02:47 AM   #4
Loyal Site Supporter
Loyal Site Supporter
kiwi_jono's Avatar

Join Date: Dec 2009
Location: Christchurch, New Zealand
Photos: Gallery | Albums
Posts: 2,437
Well being responsible for a few affected servers my self, I can confirm this a real pain!

At this stage I'm not too concerned about my own home network because I'm operating behind a decent firewall and I don't have Java applications that I allow to connect out via the internet, but it certainly something to be aware of for some applications.

12-12-2021, 06:56 AM   #5
Site Supporter
Site Supporter
Michail_P's Avatar

Join Date: Nov 2019
Location: Kalymnos
Photos: Gallery
Posts: 3,006
Thanks for the info. I’ve been using older versions exclusively.
12-12-2021, 07:11 AM   #6
Pentaxian




Join Date: Dec 2011
Posts: 3,112
Original Poster
QuoteOriginally posted by MarkJerling Quote
Voidtools is considered unsafe on my Windows 10 machine.
That is interesting. Running the download through Microsofts virustotal yields zero issues.
If you use the Lite version without web functions that's even safer.

Which software claimed the "unsafe"?
12-12-2021, 08:28 AM   #7
Moderator
Not a Number's Avatar

Join Date: Mar 2012
Location: Venice, CA
Posts: 10,508
UltraSearch is my preferred file search tool.
Free File Search Tool UltraSearch | JAM Software

Actually I prefer the UI on the older 2.3.x versions which are still available.

But "everything" looks good enough to keep around.

12-12-2021, 09:37 AM   #8
Pentaxian




Join Date: Dec 2011
Posts: 3,112
Original Poster
QuoteOriginally posted by Not a Number Quote
UltraSearch is my preferred file search tool.
Free File Search Tool UltraSearch | JAM Software

Actually I prefer the UI on the older 2.3.x versions which are still available.

But "everything" looks good enough to keep around.
Thanks for the tip. Ultrasearch seems to use the exact same background as "everything". They are just blazing fast and need no indexing.
12-12-2021, 09:53 AM - 1 Like   #9
Loyal Site Supporter
Loyal Site Supporter
i_trax's Avatar

Join Date: Jan 2011
Location: Perth Western Australia
Photos: Gallery | Albums
Posts: 2,621
I use Mac , ha ha......
12-12-2021, 10:05 AM   #10
Pentaxian




Join Date: Apr 2007
Location: Romania
Posts: 15,132
Hmm... consider upgrading Java urgently? Although some apps are using their own internal version...
12-12-2021, 10:08 AM   #11
Moderator
Not a Number's Avatar

Join Date: Mar 2012
Location: Venice, CA
Posts: 10,508
QuoteOriginally posted by beholder3 Quote
Thanks for the tip. Ultrasearch seems to use the exact same background as "everything". They are just blazing fast and need no indexing.
They appear to scan the MFT (Master File Table) of attached/select drives at startup and load into memory. So subsequent searches don't have to read the MFT on disk each time. UltraSearch probably essentially the same as Everything, just a more sophisticated UI.
12-12-2021, 10:32 AM   #12
Site Supporter
Site Supporter
StiffLegged's Avatar

Join Date: Jan 2018
Photos: Gallery
Posts: 4,560
Just to be clear: this vulnerability is with Java on Apache installations? Are Windows desktop installations vulnerable to this? Or not? Since most users are on Windows boxes, it would be good to be clear about this.
12-12-2021, 10:46 AM   #13
Pentaxian




Join Date: Dec 2011
Posts: 3,112
Original Poster
QuoteOriginally posted by StiffLegged Quote
Just to be clear: this vulnerability is with Java on Apache installations? Are Windows desktop installations vulnerable to this? Or not? Since most users are on Windows boxes, it would be good to be clear about this.
As far as I read and understand:
  • Apache is a server software that runs on many platforms (https://httpd.apache.org/) So a windows OS provides zero protection
  • Updating Java does not provide protection
  • It is all about the Log4j plugin software (https://logging.apache.org/log4j/2.x/). So it makes sense to check if you have this on your computer.
--> If you have the Log4j on your computer you might be at risk.
--> more indirectly but that is not something we can realistically protect against: If some company servers using that piece of software are compromised and your computer connects to these (for example "updates") then the infected systems might be turned into virus/trojan slings. And I guess this would be one target for the hackers.


The fun part is here that practically everyone uses the risky software:
"Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more"

Here is more info:
https://thecyberpost.com/news/security/apache-log4j-vulnerability-actively-e...va-based-apps/
12-12-2021, 10:49 AM   #14
Pentaxian




Join Date: Apr 2007
Location: Romania
Posts: 15,132
QuoteOriginally posted by StiffLegged Quote
Just to be clear: this vulnerability is with Java on Apache installations?
It's with a certain Java library called log4j, which (unsurprisingly) is used to write application logs... except that an attacker might control what's written in the log, and the vulnerability means they could gain access to the system this way.

I'm not exactly clear on what it does and how; that's a subject for tomorrow (i.e. work day )
But the advice to update Java stands. Later versions (even later Java 8 versions) would mitigate at least partially this issue.

log4j is not used only by Apache web server.
12-12-2021, 11:44 AM   #15
Site Supporter
Site Supporter
StiffLegged's Avatar

Join Date: Jan 2018
Photos: Gallery
Posts: 4,560
Okay, thanks guys. I don't run Apache in any shape or form, but my teenagers' Minecraft Java Edition does use log4j and I'll be looking up where/how to update this. Bally gamers!
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
adobe, adobe software, log4j older adobe, photo industry, photography, security, security threat log4j, software, windows
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Audit / critique my laptop hardware / software / security setup, please? BigMackCam General Talk 27 05-30-2021 07:47 AM
Add a foot or ring to an older SMC Pentax-A 300 mm (older model) Pentagel Pentax SLR Lens Discussion 17 01-23-2020 08:59 AM
Adobe Photoshop Lightroom 4 Software vs. Adobe Photoshop Lightroom 5 Software Update ASheffield Digital Processing, Software, and Printing 3 05-08-2014 05:52 AM
Photoshop, Illustrator users must pay for critical security updates photolady95 Digital Processing, Software, and Printing 5 05-12-2012 09:21 AM



All times are GMT -7. The time now is 02:51 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top