Java log4j "Zero-day" vulnerability & OpenRocket

StreuB1

Well-Known Member
Joined
Aug 28, 2007
Messages
836
Reaction score
892
Location
Illinois
Any software developers out there familiar with this new exploit and have any idea if it affects OpenRocket; as OpenRocket is a Java application.

As well, it is not specific to MineCraft. John is just using MineCraft as his platform of choice to tickle the exploit and research it.

This is a remote code execution vulnerability.

 
Last edited:

StreuB1

Well-Known Member
Joined
Aug 28, 2007
Messages
836
Reaction score
892
Location
Illinois
Mods....

Cross-post from Electronics sub-forum as this is rather important and I want it to get seen.....

This is a remote code execution vulnerability.

 

StreuB1

Well-Known Member
Joined
Aug 28, 2007
Messages
836
Reaction score
892
Location
Illinois
If I don't play Minecraft or use Open Rocket do I need to worry about this?

Yes, actually. If you use anything that uses Java, or connects to anything that uses Java (servers), then it is a possible vulnerability.
 

manixFan

Not a rocket scientist
Joined
Feb 15, 2009
Messages
2,559
Reaction score
1,777
Location
TX
From what I've read, it's really a threat to server applications that run Java apps the include the log component at risk. The issue is hackers can take control of a server, and from there get access into networks. So if you aren't running a server out of your house, you aren't really at risk, at least not in a way you can do much about.


Here are the critical bits from the article:

"The vulnerability can offer a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network."

and

"The onus will be on organizations running the software, rather than individual consumers, to apply the fixes."

We all have to hope that companies we have accounts with update their software quickly to mitigate the vulnerability.


Tony
 

manixFan

Not a rocket scientist
Joined
Feb 15, 2009
Messages
2,559
Reaction score
1,777
Location
TX
It doesn't really apply to indiduals, it's more of a server attack - the very first thing he says in the video is that he used it to take control of a Minecraft server. So running Openrocket isn't really a concern. If you have a server open to the internet, that's another story.



Tony
 

StreuB1

Well-Known Member
Joined
Aug 28, 2007
Messages
836
Reaction score
892
Location
Illinois
Its not just a server attack. It is an attack to clients as well that access a server that is vulnerable.
 

manixFan

Not a rocket scientist
Joined
Feb 15, 2009
Messages
2,559
Reaction score
1,777
Location
TX
Its not just a server attack. It is an attack to clients as well that access a server that is vulnerable.
I read nearly every story listed here:


and every one of them described it as a server attack. Minecraft chat boxes seemed to be vulnerable because the software is basically running as a server. The article I linked to clearly says it’s not really something users can fix - server admins need to fix their settings or update software

Here’s a example quote from the WSJ article:

“The bug, hidden in an obscure piece of server software called Log4j…”

and IT Canada:

“Many open source projects like the Minecraft server, called Paper, have already begun patching their usage of log4j, according to LunaSec”


If you can find an article that lists user apps that are vulnerable, that would be useful. Everything I’ve read indicates it is a server attack


Tony

PS: you have a terrible avatar
 
Last edited:

cerving

Owner, Eggtimer Rocketry
TRF Sponsor
TRF Supporter
Joined
Feb 3, 2012
Messages
5,355
Reaction score
3,362
Clients rarely run a logging process unless they're doing some kind of debugging. Servers virtually always do, so this is really a server issue. The chance of your computer getting hacked from OR is very small... a whole lot less than getting hacked by clicking around the targeted links on most portal pages.
 
Top