[Opensim-dev] Log4Net

Sara Payne sarapayne.uk at gmail.com
Wed Dec 15 00:26:48 UTC 2021 

While I am not sure it was strictly necessary I have just compiled the
latest opensim using the log4net NuGet package and latest release. It works
perfectly as a drop-in replacement for the version shipped with opensim.
Anyone worried can easily make that change in the code.

On Tue, Dec 14, 2021 at 12:00 PM <opensim-dev-request at opensimulator.org>
wrote:

> Send Opensim-dev mailing list submissions to
>         opensim-dev at opensimulator.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> or, via email, send a message with subject or body 'help' to
>         opensim-dev-request at opensimulator.org
>
> You can reach the person managing the list at
>         opensim-dev-owner at opensimulator.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Opensim-dev digest..."
>
>
> Today's Topics:
>
>    1. Check if we are impacted by latest Zero-day exploiting Apache
>       Log4j logging library (Ai Austin)
>    2. Re: Check if we are impacted by latest Zero-day exploiting
>       Apache Log4j logging library (Rory Slegtenhorst)
>    3. Re: Check if we are impacted by latest Zero-day exploiting
>       Apache Log4j logging library (Ai Austin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 13 Dec 2021 19:38:31 +0000
> From: Ai Austin <ai.ai.austin at gmail.com>
> To: <opensim-dev at opensimulator.org>
> Subject: [Opensim-dev] Check if we are impacted by latest Zero-day
>         exploiting Apache Log4j logging library
> Message-ID: <61b7a166.1c69fb81.f9dbf.1477 at mx.google.com>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> I have been told by the University it is under serious attack (as are
> lots of other institutions and servers) by the  latest Zero-day
> exploiting Apache Log4j logging library... Does anyone know if our
> logging using Log4net  is impacted (or linked in some way to the
> libraries) or that we might be vulnerable?
>
> here are the notes sent to those running servers by our tech team today...
>
> >I suspect that you will have heard of the latest zero-day exploit to
> >hit the news - the Apache Log4j logging library, used by a large
> >number of both open source and proprietary software, can be easily
> >exploited to take control of vulnerable systems remotely. We are
> >already seeing a large number of probes against the systems that we
> >manage, testing for their vulnerability to this exploit. We are
> >confident that your system(s) are similarly being probed.
> >
> >The University has put in place some protection against this
> >vulnerability, but it is crude protection and expected to be worked
> >around fairly swiftly. The only real protection is to take
> >vulnerable systems off-line until they are patched.
> >
> >Identifying whether a system is vulnerable to this exploit is non
> >trivial as Log4j is commonly shipped in a JAR file with an
> >application - it is not just as simple as checking (with rpm or
> >dpkg) which version of Log4j is installed on the system.
> >
> >The following web-site includes a list of software which is known to
> >be affected -
> >https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
>
> >Guidance from the National Cyber Security Centre is available at :-
> >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 13 Dec 2021 20:54:50 +0100
> From: Rory Slegtenhorst <rory.slegtenhorst at gmail.com>
> To: opensim-dev at opensimulator.org
> Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day
>         exploiting Apache Log4j logging library
> Message-ID:
>         <
> CALAGUnukaptidafpvbQeOqVu2NF1kKnStYLoM45LUayaEaWHnw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Even though log4net and log4j are related (both are apache projects), the
> bug is Java only. And even then, it's only log4j2 that's actually
> vulnerable.
> I sincerely doubt that .Net has JNDI support.
>
> Rory Slegtenhorst
> rory dot slegtenhorst at gmail dot com
>
>
> On Mon, Dec 13, 2021 at 8:39 PM Ai Austin <ai.ai.austin at gmail.com> wrote:
>
> > I have been told by the University it is under serious attack (as are
> > lots of other institutions and servers) by the  latest Zero-day
> > exploiting Apache Log4j logging library... Does anyone know if our
> > logging using Log4net  is impacted (or linked in some way to the
> > libraries) or that we might be vulnerable?
> >
> > here are the notes sent to those running servers by our tech team
> today...
> >
> > >I suspect that you will have heard of the latest zero-day exploit to
> > >hit the news - the Apache Log4j logging library, used by a large
> > >number of both open source and proprietary software, can be easily
> > >exploited to take control of vulnerable systems remotely. We are
> > >already seeing a large number of probes against the systems that we
> > >manage, testing for their vulnerability to this exploit. We are
> > >confident that your system(s) are similarly being probed.
> > >
> > >The University has put in place some protection against this
> > >vulnerability, but it is crude protection and expected to be worked
> > >around fairly swiftly. The only real protection is to take
> > >vulnerable systems off-line until they are patched.
> > >
> > >Identifying whether a system is vulnerable to this exploit is non
> > >trivial as Log4j is commonly shipped in a JAR file with an
> > >application - it is not just as simple as checking (with rpm or
> > >dpkg) which version of Log4j is installed on the system.
> > >
> > >The following web-site includes a list of software which is known to
> > >be affected -
> > >
> https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
> >
> > >Guidance from the National Cyber Security Centre is available at :-
> > >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 14 Dec 2021 10:10:55 +0000
> From: Ai Austin <ai.ai.austin at gmail.com>
> To: <opensim-dev at opensimulator.org>
> Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day
>         exploiting Apache Log4j logging library
> Message-ID: <61b86db4.1c69fb81.c63e4.e4e0 at mx.google.com>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> Fred Beckhsuen gave me some useful background on this... we use
> Log4Net 2.0.8.0 in OpenSim 0.9.2.0 release and 0.9.21. Dev master,
> and Fred says that before Log4Net 2.0.10 it has the same bug as Log4J
> according CVE-2018-1285...
>
> https://github.com/advisories/GHSA-2cwj-8chv-9pp9
>
> Fred also added that he did hear something about OpenSim not allowing
> arbitrary anything to be injected into Log4Net. Maybe those in the
> know could take a look at that.
>
>
>
> ------------------------------
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>
>
> End of Opensim-dev Digest, Vol 75, Issue 2
> ******************************************
>

More information about the Opensim-dev mailing list