I'm getting multiple people asking. The short answer is that this is very, very bad. However, for most readers there's nothing they can (or should) do.
The long answer is, well, long. Security guru Bruce Schneier thinks that it's really bad. Lawrence has an excellent post for the non Security nerd that goes into some depth on why this is so bad. It will also be obvious to you why there's nothing you can do about this (unless you're a professional IT Security Geek).
The medium length answer is that Log4j is an open source logging program included in just about everything on the Internet. Logging is A Good Thing, because if someone messes around with your system the logs will tell you a lot about what they were up to. However, Log4j doesn't check the data that it writes to the log file, and in particular allows a malicious attacker to include executable code that the system will run. So an attacker can attempt to log in using a made up username that executes all sorts of malicious commands. It's basically an Internet-wide Bobby Tables situation:
And like I said, there's pretty much nothing you can do.
Other than laughing, you're right.
ReplyDeleteDon't do anything with the log file using any account that has privs?
ReplyDeleteWould wearing a paper facemask help?
ReplyDelete