[Opensim-dev] Check if we are impacted by latest Zero-day exploiting Apache Log4j logging library

Rory Slegtenhorst rory.slegtenhorst at gmail.com
Mon Dec 13 19:54:50 UTC 2021 

Even though log4net and log4j are related (both are apache projects), the
bug is Java only. And even then, it's only log4j2 that's actually
vulnerable.
I sincerely doubt that .Net has JNDI support.

Rory Slegtenhorst
rory dot slegtenhorst at gmail dot com


On Mon, Dec 13, 2021 at 8:39 PM Ai Austin <ai.ai.austin at gmail.com> wrote:

> I have been told by the University it is under serious attack (as are
> lots of other institutions and servers) by the  latest Zero-day
> exploiting Apache Log4j logging library... Does anyone know if our
> logging using Log4net  is impacted (or linked in some way to the
> libraries) or that we might be vulnerable?
>
> here are the notes sent to those running servers by our tech team today...
>
> >I suspect that you will have heard of the latest zero-day exploit to
> >hit the news - the Apache Log4j logging library, used by a large
> >number of both open source and proprietary software, can be easily
> >exploited to take control of vulnerable systems remotely. We are
> >already seeing a large number of probes against the systems that we
> >manage, testing for their vulnerability to this exploit. We are
> >confident that your system(s) are similarly being probed.
> >
> >The University has put in place some protection against this
> >vulnerability, but it is crude protection and expected to be worked
> >around fairly swiftly. The only real protection is to take
> >vulnerable systems off-line until they are patched.
> >
> >Identifying whether a system is vulnerable to this exploit is non
> >trivial as Log4j is commonly shipped in a JAR file with an
> >application - it is not just as simple as checking (with rpm or
> >dpkg) which version of Log4j is installed on the system.
> >
> >The following web-site includes a list of software which is known to
> >be affected -
> >https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
>
> >Guidance from the National Cyber Security Centre is available at :-
> >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list