Log4Shell: Cuando una Librería Inofensiva Desató el Caos en el Ciberespacio

En el panteón de las vulnerabilidades informáticas, algunas dejan una marca imborrable, resonando mucho después de su descubrimiento. CVE-2021-44228, más conocida como Log4Shell, no fue solo una vulnerabilidad; Fue un evento sísmico que sacudió los cimientos de la ciberseguridad global. Imaginen por un momento la ubicuidad silenciosa de una humilde librería de logging, Apache Log4j2, incrustada…

Critical Apache Log4j2 flaw still threatens global finance

http://i.securitythinkingcap.com/T7hwbx

2 years on, Log4j still haunts the security community

Dive Brief: Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode.  The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in…

View On WordPress

Log4Shell Quick Lab Setup for Testing

Log4Shell Quick Lab Setup for Testing

Last month, On December 09 2021, The release of a Remote Code Execution POC over twitter involving exploitation of Apache’s log4j2 logging class took everyone’s peace away. The attack was pretty simple and the fact that it can be easily exploited by anyone is what made this more terrifying. The first edition of this attack which was exploited in the wild was based on exploitation of JNDILookup…

View On WordPress

Log4Shell Resources

For those coming to our January meeting, here are some resources you can use to familiarize yourself with Log4Shell / CVE-2021-44228:

Sample Log4Shell Vulnerable App by christophetd

Log4J2 Security Vulnerabilities page

Log4J2 Release History

JNDI Injection Exploit by welk1n

Initial Log4Shell POC by tangxiaofeng7

LunaSec write-up on Log4Shell

JNDIExploit by feihong-cs

Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228 youTube video by LiveOverflow

受到 Log4j2 影響的清單

最近大家都在忙著補 Log4j2 的安全漏洞 (先前在「Log4j2 的 RCE」這邊有提到)，有人整理了目前受到影響的軟體的清單以及對應的討論連結：「Log4Shell log4j vulnerability (CVE-2021-44228) – cheat-sheet reference guide」。 用這包來翻起來會方便一些，另外也可以順便翻一下有什麼其他軟體中獎… 然後 Cloudflare 的 CEO Matthew Prince 在 Twitter 上有提到從他們家的資料看起來，2021/12/01 就已經有攻擊在外面跑了，這也是之前會說這是 0-day 的原因： Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was…

View On WordPress

Java Log4j2 sux <=2.14.1 = JNDI Log4j vulnerability

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers

when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

from https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Wowow

Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

via https://logging.apache.org/log4j/2.x/security.html

❗ ADVISORY ❗ An advisory has just been released for Apache Log4j2 library. We recommend Australian organisations check whether products they use are affected by a Log4j2 vulnerability. https://t.co/6IAQlR5962 https://t.co/fe7WnGpc56 (via Twitter https://twitter.com/CyberGovAU/status/1471037527788335114)

What’s New in Spring Boot 3 for Java Developers in 2023

A guide to the latest Spring Boot versions, as well as the addition of new features and enhancements to the latest update.

The Spring team released Spring Boot 3 in November 2022; it includes GraalVM native image support, enhanced Log4j2, Improved @ConstructorBinding, and a handful of new features. This article examines what’s new for Java web development in Spring Boot 3.

What is Spring Boot?

It is an open-source Java development framework that incorporates conventional Spring MVC features allowing developers to leverage Spring framework’s functionalities. If we talk about features, it has robust tools for developing production-grade, robust, asynchronous, and non-blocking web apps. In addition to this, developers can explore a range of configured templates, pre-built modules for services, and security, allowing developers to developer to develop applications at a faster pace.

The Spring Boot 2.X line was a remarkable journey for Java developers as it delivered 95 distinct releases and new functionalities throughout its 4-year timeframe. Nonetheless, the Spring team has ensured open-source support for the 2.7 version until November 2023, and commercial support will continue till 2025.

What’s New in Spring Boot 3?

Moving on to the new features, Spring Boot 3 has some significant additions, including GraalVM native image support, which optimizes application performance. Developers can leverage this new feature to create native images for their Spring Boot applications, leading to faster startup times and lower memory footprints. Additionally, the latest version includes several other updates and enhancements that improve the development experience and provide a better user interface.

1. GraalVM Native Image Support

Furthermore, it’s worth noting that Spring Boot 3 now supports GraalVM native images. This development allows developers to convert Spring Boot applications into native images that have a lesser memory footprint and faster compilation.

For those who don’t know, GraalVM is a runtime environment that allows for the faster execution of Java code. You can learn more about GraalVM in Spring by exploring the resources available here.

2. Log4j2 enhancement

Log4j2, the logging tool available in the Spring Boot framework, includes a few incremental improvements, which are as follows:

Profile-specific Configuration

Environment Properties Lookup

Log4j2 System Properties

For more details, you can check the documentation page.

3. Improved @ConstructorBinding Detection

These improvements in constructor binding will make it easier to use constructor binding with @ConfigurationProperties classes and simplify the code.

When you use constructor-bound @ConfigurationProperties, Spring Boot no longer requires the @ConstructorBinding annotation if the class has a single parameterized constructor. However, if you have more than one constructor, you still need to use @ConstructorBinding to inform Spring Boot which one to use.

For most users, this updated logic will allow for simpler @ConfigurationProperties classes. However, if you have a @ConfigurationProperties and want to inject beans into the constructor rather than binding it, you’ll now need to add an @Autowired annotation.

4. Micrometer Updates

Micrometer, a monitoring tool for Spring applications, includes several enhancements and improvements.

Auto-configuration for Micrometer Observation API

Auto-configuration for Micrometer Tracing

Auto-configuration for Micrometer’s OtlpMeterRegistry

5. Prometheus Support

In Spring Boot 3, Auto-Configuration for Prometheus Exemplars and Push Gateway can be configured to perform a PUT on shutdown. Furthermore, Spring Boot has deprecated the existing push setting and now recommends using post instead.

6. Miscellaneous

Auto-configuration for the new Elasticsearch Java Client has been introduced.

Apache HTTP client a JdkClientHttpConnector will now be auto-configured

The @SpringBootTest annotation can now use the main of any discovered @SpringBootConfiguration class if it’s available. This means that tests can now pick up any custom SpringApplication configuration performed by your main method.

Read more at https://www.brilworks.com/blog/whats-new-in-spring-boot-3-for-java-developers-in-2023/

Application Performance Monitoring (APM) can be defined as the process of discovering, tracing, and performing diagnoses on cloud software applications in production. These tools enable better analysis of network topologies with improved metrics and user experiences. Pinpoint is an open-source Application Performance Management(APM) with trusted millions of users around the world. Pinpoint, inspired by Google Dapper is written in Java, PHP, and Python programming languages. This project was started in July 2012 and later released to the public in January 2015. Since then, it has served as the best solution to analyze the structure as well as the interconnection between components across distributed applications. Features of Pinpoint APM Offers Cloud and server Monitoring. Distributed transaction tracing to trace messages across distributed applications Overview of the application topology – traces transactions between all components to identify potentially problematic issues. Lightweight – has a minimal performance impact on the system. Provides code-level visibility to easily identify points of failure and bottlenecks Software as a Service. Offers the ability to add a new functionality without code modifications by using the bytecode instrumentation technique Automatically detection of the application topology that helps understand the configurations of an application Real-time monitoring – observe active threads in real-time. Horizontal scalability to support large-scale server group Transaction code-level visibility – response patterns and request counts. This guide aims to help you deploy Pinpoint APM (Application Performance Management) in Docker Containers. Pinpoint APM Supported Modules Below is a list of modules supported by Pinpoint APM (Application Performance Management): ActiveMQ, RabbitMQ, Kafka, RocketMQ Arcus, Memcached, Redis(Jedis, Lettuce), CASSANDRA, MongoDB, Hbase, Elasticsearch MySQL, Oracle, MSSQL(jtds), CUBRID, POSTGRESQL, MARIA Apache HTTP Client 3.x/4.x, JDK HttpConnector, GoogleHttpClient, OkHttpClient, NingAsyncHttpClient, Akka-http, Apache CXF JDK 7 and above Apache Tomcat 6/7/8/9, Jetty 8/9, JBoss EAP 6/7, Resin 4, Websphere 6/7/8, Vertx 3.3/3.4/3.5, Weblogic 10/11g/12c, Undertow Spring, Spring Boot (Embedded Tomcat, Jetty, Undertow), Spring asynchronous communication Thrift Client, Thrift Service, DUBBO PROVIDER, DUBBO CONSUMER, GRPC iBATIS, MyBatis log4j, Logback, log4j2 DBCP, DBCP2, HIKARICP, DRUID gson, Jackson, Json Lib, Fastjson Deploy Pinpoint APM (Application Performance Management) in Docker Containers Deploying the PInpoint APM docker container can be achieved using the below steps: Step 1 – Install Docker and Docker-Compose on Linux. Pinpoint APM requires a Docker version 18.02.0 and above. The latest available version of Docker can be installed with the aid of the guide below: How To Install Docker CE on Linux Systems Once installed, ensure that the service is started and enabled as below. sudo systemctl start docker && sudo systemctl enable docker Check the status of the service. $ systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-01-19 02:51:04 EST; 1min 4s ago Docs: https://docs.docker.com Main PID: 34147 (dockerd) Tasks: 8 Memory: 31.3M CGroup: /system.slice/docker.service └─34147 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock Verify the installed Docker version. $ docker version Client: Docker Engine - Community Version: 20.10.12 API version: 1.41 Go version: go1.16.12 Git commit: e91ed57 Built: Mon Dec 13 11:45:22 2021 OS/Arch: linux/amd64 Context: default Experimental: true

..... Now proceed and install Docker-compose using the dedicated guide below: How To Install Docker Compose on Linux Add your system user to the Docker group to be able to run docker commands without sudo sudo usermod -aG docker $USER newgrp docker Step 2 – Deploy the Pinpoint APM (Application Performance Management) The Pinpoint docker container can be deployed by pulling the official docker image as below. Ensure that git is installed on your system before you proceed. git clone https://github.com/naver/pinpoint-docker.git Once the image has been pulled, navigate into the directory. cd pinpoint-docker Now we will run the Pinpoint container that will have the following containers joined to the same network: The Pinpoint-Web Server Pinpoint-Agent Pinpoint-Collector Pinpoint-QuickStart(a sample application, 1.8.1+) Pinpoint-Mysql(to support certain feature) This may take several minutes to download all necessary images. Pinpoint-Flink(to support certain feature) Pinpoint-Hbase Pinpoint-Zookeeper All these components and their configurations are defined in the docker-compose YAML file that can be viewed below. cat docker-compose.yml Now start the container as below. docker-compose pull docker-compose up -d Sample output: ....... [+] Running 14/14 ⠿ Network pinpoint-docker_pinpoint Created 0.3s ⠿ Volume "pinpoint-docker_mysql_data" Created 0.0s ⠿ Volume "pinpoint-docker_data-volume" Created 0.0s ⠿ Container pinpoint-docker-zoo3-1 Started 3.7s ⠿ Container pinpoint-docker-zoo1-1 Started 3.0s ⠿ Container pinpoint-docker-zoo2-1 Started 3.4s ⠿ Container pinpoint-mysql Sta... 3.8s ⠿ Container pinpoint-flink-jobmanager Started 3.4s ⠿ Container pinpoint-hbase Sta... 4.0s ⠿ Container pinpoint-flink-taskmanager Started 5.4s ⠿ Container pinpoint-collector Started 6.5s ⠿ Container pinpoint-web Start... 5.6s ⠿ Container pinpoint-agent Sta... 7.9s ⠿ Container pinpoint-quickstart Started 9.1s Once the process is complete, check the status of the containers. $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cb17fe18e96d pinpointdocker/pinpoint-quickstart "catalina.sh run" 54 seconds ago Up 44 seconds 0.0.0.0:8000->8080/tcp, :::8000->8080/tcp pinpoint-quickstart 732e5d6c2e9b pinpointdocker/pinpoint-agent:2.3.3 "/usr/local/bin/conf…" 54 seconds ago Up 46 seconds pinpoint-agent 4ece1d8294f9 pinpointdocker/pinpoint-web:2.3.3 "sh /pinpoint/script…" 55 seconds ago Up 48 seconds 0.0.0.0:8079->8079/tcp, :::8079->8079/tcp, 0.0.0.0:9997->9997/tcp, :::9997->9997/tcp pinpoint-web 79f3bd0e9638 pinpointdocker/pinpoint-collector:2.3.3 "sh /pinpoint/script…" 55 seconds ago Up 47 seconds 0.0.0.0:9991-9996->9991-9996/tcp, :::9991-9996->9991-9996/tcp, 0.0.0.0:9995-9996->9995-9996/udp,

:::9995-9996->9995-9996/udp pinpoint-collector 4c4b5954a92f pinpointdocker/pinpoint-flink:2.3.3 "/docker-bin/docker-…" 55 seconds ago Up 49 seconds 6123/tcp, 0.0.0.0:6121-6122->6121-6122/tcp, :::6121-6122->6121-6122/tcp, 0.0.0.0:19994->19994/tcp, :::19994->19994/tcp, 8081/tcp pinpoint-flink-taskmanager 86ca75331b14 pinpointdocker/pinpoint-flink:2.3.3 "/docker-bin/docker-…" 55 seconds ago Up 51 seconds 6123/tcp, 0.0.0.0:8081->8081/tcp, :::8081->8081/tcp pinpoint-flink-jobmanager e88a13155ce8 pinpointdocker/pinpoint-hbase:2.3.3 "/bin/sh -c '/usr/lo…" 55 seconds ago Up 50 seconds 0.0.0.0:16010->16010/tcp, :::16010->16010/tcp, 0.0.0.0:16030->16030/tcp, :::16030->16030/tcp, 0.0.0.0:60000->60000/tcp, :::60000->60000/tcp, 0.0.0.0:60020->60020/tcp, :::60020->60020/tcp pinpoint-hbase 4a2b7dc72e95 zookeeper:3.4 "/docker-entrypoint.…" 56 seconds ago Up 52 seconds 2888/tcp, 3888/tcp, 0.0.0.0:49154->2181/tcp, :::49154->2181/tcp pinpoint-docker-zoo2-1 3ae74b297e0f zookeeper:3.4 "/docker-entrypoint.…" 56 seconds ago Up 52 seconds 2888/tcp, 3888/tcp, 0.0.0.0:49155->2181/tcp, :::49155->2181/tcp pinpoint-docker-zoo3-1 06a09c0e7760 zookeeper:3.4 "/docker-entrypoint.…" 56 seconds ago Up 52 seconds 2888/tcp, 3888/tcp, 0.0.0.0:49153->2181/tcp, :::49153->2181/tcp pinpoint-docker-zoo1-1 91464a430c48 pinpointdocker/pinpoint-mysql:2.3.3 "docker-entrypoint.s…" 56 seconds ago Up 52 seconds 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp pinpoint-mysql Access the Pinpoint APM (Application Performance Management) Web UI The Pinpoint Web run on the default port 8079 and can be accessed using the URL http://IP_address:8079. You will be granted the below page. Select the desired application to analyze. For this case, we will analyze our deployed Quickapp. Select the application and proceed. Here, click on inspector to view the detailed metrics. Here select the app-in-docker You can also make settings to Pinpoint such as setting user groups, alarms, themes e.t.c. Under administration, you can view agent statistics for your application Manage your applications under the agent management tab To set an alarm, you first need to have a user group created. you also need to create a pinpoint user and add them to the user group as below. With the user group, an alarm for your application can be created, a rule and notification methods to the group members added as shown. Now you will have your alarm configured as below. You can also switch to the dark theme which appears as below. View the Apache Flink Task manager page using the URL http://IP_address:8081. Voila! We have triumphantly deployed Pinpoint APM (Application Performance Management) in Docker Containers. Now you can discover, trace, and perform diagnoses on your applications.

Как скачать и установить Debian 10 Buster

Установка Debian 10 Buster или 11, 9 или 8, не столь важно. Важно то, что создание сервера, начинается именно с инсталляции ОС. Установка Debian может проводиться на ПК, ноутбук или на полноценное серверное оборудование. Важно понимать, что Linux системы предназначены для администрирования серверов. Поэтому установка дистрибутива Debian, является первостепенной задачей. В прошлых руководствах я рассказывал про установку debian 8.5 jessie и debian 9.1 stretch, шаги по установке не изменились. Нам по прежнему необходимо выполнить все те же действия.

Debian по прежнему является ключевым дистрибутивом Linux. Система стара и востребована, считается, что дистрибутив Debian наиболее безопасен и защищен в отличии от других Linux-систем. Тем не менее поддержка этого дистрибутива разработчиками закончится уже через пару лет.

Повышенная стабильность — самый важный фактор, который мне нравиться в Debian.

Выпуск нового обновленного релиза вышел 26 марта 2022 года Debian 10 buster. Дистрибутив имеет множество исправлений безопасности системы. Более строгие алгоритмы проверки подписей OpenSSL.

Исправлено большое количество существующих ошибок в пакетах и компонентах, вот небольшая выписка: apache-log4j1.2, apache-log4j2, atftp, base-files, beads, btrbk, cargo-mozilla, chrony, cimg, clamav, cups, debian-installer, debian-installer-netboot-images, detox, evolution-data-server, inux-signed-amd64, linux-signed-arm64, linux-signed-i386, llvm-toolchain-11 и т.д.

Обновлены пакеты безопасности системы, вот некоторые из них: samba, apache2, neutron, wordpress, tomcat9, squashfs-tools, php7.3, bind9, postgresql-11, libxml-security-java, apache-log4j2, xorg-server, spip, djvulibre, debian-edu-config, h2database, linux-signed-amd64, linux-signed-arm64, linux-signed-i386, tryton-server и т.д

Удалены бесполезные пакеты: angular-maven-plugin и minify-maven-plugin. В этом руководстве я расскажу как установить Debian 10 buster на компьютер, ноутбук или серверное оборудо��ание. Для последующей настройки и установки программного обеспечения для сервера.

Источник тут: https://nicola.top/kak-skachat-i-ustanovit-debian-10-buster/

Unusual Log4j2 vulnerability

Unusual Log4j2 vulnerability Serene Description Apache Log4j2 versions 2.0-beta7 by design of 2.17.0 (besides for security repair releases 2.3.2 and a pair of.12.4) are at likelihood of a a lot away code execution (RCE) attack where an attacker with permission to switch the logging configuration file can originate a malicious configuration utilizing a JDBC Appender with a… Read the full story –…

View On WordPress

Log4j2 的 RCE

昨天爆出來 Log4j2 的 RCE，看了一下 pattern，只要是 Java stack 應該都很容易中獎：「Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package」，Hacker News 上對應的討論在「Log4j RCE Found (lunasec.io)」這邊可以看。 LunaSec 宣稱這是 0-day RCE，不過 Log4j2 的修正版本 2.15.0 在 2021/12/06 出了，而 exploit 被丟出來是 2021/12/09，但不確定在這之前是不是已經有 exploit 在 internet 上飛來飛去了… 丟出來的 exploit sample (CVE-2021-44228-Apache-Log4j-Rce) 是用 LDAP 來打，雖然大多數的 Java…

View On WordPress

❗ ALERT ❗A vulnerability exists in certain versions of Apache Log4j2 library. ACSC recommends affected organisations apply the available patch. Advice at: https://t.co/m6lnzJmS4F https://t.co/OecocrqCm2 (via Twitter https://twitter.com/CyberGovAU/status/1469267012811636736)

Chinese hackers exploit the most serious security hole of the decade

Chinese hackers exploit the most serious security hole of the decade

Hacker groups from China and many other countries quickly took advantage of Log4Shell, the most serious security flaw in the past few years. On the official website, Microsoft said that its research teams have recognized many attacks that exploit the Apache Log4j2 security vulnerability, or Log4Shell. The company said government-linked hacker groups from China, Iran, and Turkey took advantage of…

View On WordPress