Java log4j "Zero-day" vulnerability & OpenRocket

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

StreuB1

Well-Known Member
Joined
Aug 28, 2007
Messages
1,400
Reaction score
1,825
Location
Illinois
Any software developers out there familiar with this new exploit and have any idea if it affects OpenRocket; as OpenRocket is a Java application.

As well, it is not specific to MineCraft. John is just using MineCraft as his platform of choice to tickle the exploit and research it.

This is a remote code execution vulnerability.

 
Last edited:
If I don't play Minecraft or use Open Rocket do I need to worry about this?

Yes, actually. If you use anything that uses Java, or connects to anything that uses Java (servers), then it is a possible vulnerability.
 
From what I've read, it's really a threat to server applications that run Java apps the include the log component at risk. The issue is hackers can take control of a server, and from there get access into networks. So if you aren't running a server out of your house, you aren't really at risk, at least not in a way you can do much about.

https://www.cnn.com/2021/12/11/politics/dhs-log4j-software-flaw-warning/index.html
Here are the critical bits from the article:

"The vulnerability can offer a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network."

and

"The onus will be on organizations running the software, rather than individual consumers, to apply the fixes."

We all have to hope that companies we have accounts with update their software quickly to mitigate the vulnerability.


Tony
 
The vulnerability can run on the client side as well, not just the server.
 
Its not just a server attack. It is an attack to clients as well that access a server that is vulnerable.
 
Its not just a server attack. It is an attack to clients as well that access a server that is vulnerable.
I read nearly every story listed here:

https://news.google.com/stories/CAA...ZOVcyUVBCOUhTZ0FQAQ?hl=en-US&gl=US&ceid=US:en
and every one of them described it as a server attack. Minecraft chat boxes seemed to be vulnerable because the software is basically running as a server. The article I linked to clearly says it’s not really something users can fix - server admins need to fix their settings or update software

Here’s a example quote from the WSJ article:

“The bug, hidden in an obscure piece of server software called Log4j…”

and IT Canada:

“Many open source projects like the Minecraft server, called Paper, have already begun patching their usage of log4j, according to LunaSec”


If you can find an article that lists user apps that are vulnerable, that would be useful. Everything I’ve read indicates it is a server attack


Tony

PS: you have a terrible avatar
 
Last edited:
Clients rarely run a logging process unless they're doing some kind of debugging. Servers virtually always do, so this is really a server issue. The chance of your computer getting hacked from OR is very small... a whole lot less than getting hacked by clicking around the targeted links on most portal pages.
 
Back
Top