Our great sponsors
-
Apache Log4j 2
Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
-
adoptium.net
Discontinued Development of the website has moved to https://github.com/adoptium/website-v2
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
ThreatMapper
Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
-
rg32hash
Open source RadioGatún[32] implementations in C, C++, Python, PHP, Javascript, Lua, and C# (.NET)
Minecraft servers were one part of it... Minecraft clients where another.
If you sent a message to everyone with a client (that logged that message), everyone with a client would at least ping back to the ldap server.
The issue where this was introduced was: https://issues.apache.org/jira/browse/LOG4J2-313
That's from 2013. On the other hand, nothing with it really happened until someone asked if it was a security vulnerability - https://github.com/apache/logging-log4j2/pull/608#issuecomme...
And then all hell broke loose.
Simply said, this was a feature that was intended to make it easier for one company to use their structure with ldap lookups for where/how to log. The author of the change did what many people encourage others to do when working with open source "here's some code that I wrote, I'm contributing it back upstream."
If this was part of something "bigger", it sat quiet for the better part of a decade.
How we visualized and fixed runtime exposure due to vulnerable Elasticsearch, using ThreatMapper
https://deepfence.io/cve-2021-44228-log4j2-exploitability-an...
https://github.com/deepfence/ThreatMapper
Thank you again for the informative reply. I saw two dbus-daemons running on my Ubuntu server; I killed the user d-bus daemon process running as me and nothing seems to break, so while it’s there, it doesn’t seem to be used by anything on my server.
While I do note that systemd man page, it goes in to no detail about how dbus leaks the environment.
Looking at the D-Bus specification [1], org.freedesktop.DBus.UpdateActivationEnvironment is the only thing which concerns itself about the environment. It says that the “session bus activated services inherit the environment of the bus daemon”, so it looks like the D-Bus leakage is any system-level environmental variables set when the D-Bus daemons are started, or any variables set using UpdateActivationEnvironment.
The concern here appears to be that system-level environmental variables aren’t safe. Now, nothing about a user process setting something like export FOO="top secret password" being unsafe.
I have already noted the various ways environmental variables can leak over at https://github.com/samboy/rg32hash/blob/master/C/microrg32.m... and will update the D-Bus information based on what I read in the D-Bus spec.
[1] https://dbus.freedesktop.org/doc/dbus-specification.html
Related posts
- RCE 0-day exploit found in log4j, a popular Java logging package
- ☸️ Kubernetes: From your docker-compose file to a cluster with Kompose
- KWOK : mettre en place un cluster de milliers de nœuds en quelques secondes …
- KUBERNETES - CI/CD WITH TEKTON & ARGO CD
- A morning with the Rabbit R1: a fun, funky, unfinished AI gadget