[Opensim-dev] Log4Net

Teravus Ovares teravus at gmail.com
Wed Dec 15 03:55:29 UTC 2021 

But also, the log4j vulnerability requires that you are running on Java
because it takes advantage of some features of java.    Even if Log4Net
doesn't check the input, there's no JDNI calls in .NET..  so you're not
going to be able to call LDAP with a payload.

On Tue, Dec 14, 2021 at 4:27 PM Sara Payne <sarapayne.uk at gmail.com> wrote:

> While I am not sure it was strictly necessary I have just compiled the
> latest opensim using the log4net NuGet package and latest release. It works
> perfectly as a drop-in replacement for the version shipped with opensim.
> Anyone worried can easily make that change in the code.
>
> On Tue, Dec 14, 2021 at 12:00 PM <opensim-dev-request at opensimulator.org>
> wrote:
>
> > Send Opensim-dev mailing list submissions to
> >         opensim-dev at opensimulator.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > or, via email, send a message with subject or body 'help' to
> >         opensim-dev-request at opensimulator.org
> >
> > You can reach the person managing the list at
> >         opensim-dev-owner at opensimulator.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Opensim-dev digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Check if we are impacted by latest Zero-day exploiting Apache
> >       Log4j logging library (Ai Austin)
> >    2. Re: Check if we are impacted by latest Zero-day exploiting
> >       Apache Log4j logging library (Rory Slegtenhorst)
> >    3. Re: Check if we are impacted by latest Zero-day exploiting
> >       Apache Log4j logging library (Ai Austin)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 13 Dec 2021 19:38:31 +0000
> > From: Ai Austin <ai.ai.austin at gmail.com>
> > To: <opensim-dev at opensimulator.org>
> > Subject: [Opensim-dev] Check if we are impacted by latest Zero-day
> >         exploiting Apache Log4j logging library
> > Message-ID: <61b7a166.1c69fb81.f9dbf.1477 at mx.google.com>
> > Content-Type: text/plain; charset="us-ascii"; format=flowed
> >
> > I have been told by the University it is under serious attack (as are
> > lots of other institutions and servers) by the  latest Zero-day
> > exploiting Apache Log4j logging library... Does anyone know if our
> > logging using Log4net  is impacted (or linked in some way to the
> > libraries) or that we might be vulnerable?
> >
> > here are the notes sent to those running servers by our tech team
> today...
> >
> > >I suspect that you will have heard of the latest zero-day exploit to
> > >hit the news - the Apache Log4j logging library, used by a large
> > >number of both open source and proprietary software, can be easily
> > >exploited to take control of vulnerable systems remotely. We are
> > >already seeing a large number of probes against the systems that we
> > >manage, testing for their vulnerability to this exploit. We are
> > >confident that your system(s) are similarly being probed.
> > >
> > >The University has put in place some protection against this
> > >vulnerability, but it is crude protection and expected to be worked
> > >around fairly swiftly. The only real protection is to take
> > >vulnerable systems off-line until they are patched.
> > >
> > >Identifying whether a system is vulnerable to this exploit is non
> > >trivial as Log4j is commonly shipped in a JAR file with an
> > >application - it is not just as simple as checking (with rpm or
> > >dpkg) which version of Log4j is installed on the system.
> > >
> > >The following web-site includes a list of software which is known to
> > >be affected -
> > >
> https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
> >
> > >Guidance from the National Cyber Security Centre is available at :-
> > >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Mon, 13 Dec 2021 20:54:50 +0100
> > From: Rory Slegtenhorst <rory.slegtenhorst at gmail.com>
> > To: opensim-dev at opensimulator.org
> > Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day
> >         exploiting Apache Log4j logging library
> > Message-ID:
> >         <
> > CALAGUnukaptidafpvbQeOqVu2NF1kKnStYLoM45LUayaEaWHnw at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Even though log4net and log4j are related (both are apache projects), the
> > bug is Java only. And even then, it's only log4j2 that's actually
> > vulnerable.
> > I sincerely doubt that .Net has JNDI support.
> >
> > Rory Slegtenhorst
> > rory dot slegtenhorst at gmail dot com
> >
> >
> > On Mon, Dec 13, 2021 at 8:39 PM Ai Austin <ai.ai.austin at gmail.com>
> wrote:
> >
> > > I have been told by the University it is under serious attack (as are
> > > lots of other institutions and servers) by the  latest Zero-day
> > > exploiting Apache Log4j logging library... Does anyone know if our
> > > logging using Log4net  is impacted (or linked in some way to the
> > > libraries) or that we might be vulnerable?
> > >
> > > here are the notes sent to those running servers by our tech team
> > today...
> > >
> > > >I suspect that you will have heard of the latest zero-day exploit to
> > > >hit the news - the Apache Log4j logging library, used by a large
> > > >number of both open source and proprietary software, can be easily
> > > >exploited to take control of vulnerable systems remotely. We are
> > > >already seeing a large number of probes against the systems that we
> > > >manage, testing for their vulnerability to this exploit. We are
> > > >confident that your system(s) are similarly being probed.
> > > >
> > > >The University has put in place some protection against this
> > > >vulnerability, but it is crude protection and expected to be worked
> > > >around fairly swiftly. The only real protection is to take
> > > >vulnerable systems off-line until they are patched.
> > > >
> > > >Identifying whether a system is vulnerable to this exploit is non
> > > >trivial as Log4j is commonly shipped in a JAR file with an
> > > >application - it is not just as simple as checking (with rpm or
> > > >dpkg) which version of Log4j is installed on the system.
> > > >
> > > >The following web-site includes a list of software which is known to
> > > >be affected -
> > > >
> >
> https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
> > >
> > > >Guidance from the National Cyber Security Centre is available at :-
> > > >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
> > >
> > > _______________________________________________
> > > Opensim-dev mailing list
> > > Opensim-dev at opensimulator.org
> > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Tue, 14 Dec 2021 10:10:55 +0000
> > From: Ai Austin <ai.ai.austin at gmail.com>
> > To: <opensim-dev at opensimulator.org>
> > Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day
> >         exploiting Apache Log4j logging library
> > Message-ID: <61b86db4.1c69fb81.c63e4.e4e0 at mx.google.com>
> > Content-Type: text/plain; charset="us-ascii"; format=flowed
> >
> > Fred Beckhsuen gave me some useful background on this... we use
> > Log4Net 2.0.8.0 in OpenSim 0.9.2.0 release and 0.9.21. Dev master,
> > and Fred says that before Log4Net 2.0.10 it has the same bug as Log4J
> > according CVE-2018-1285...
> >
> > https://github.com/advisories/GHSA-2cwj-8chv-9pp9
> >
> > Fred also added that he did hear something about OpenSim not allowing
> > arbitrary anything to be injected into Log4Net. Maybe those in the
> > know could take a look at that.
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> >
> >
> > End of Opensim-dev Digest, Vol 75, Issue 2
> > ******************************************
> >
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list