While I am not sure it was strictly necessary I have just compiled the latest opensim using the log4net NuGet package and latest release. It works perfectly as a drop-in replacement for the version shipped with opensim. Anyone worried can easily make that change in the code.
On Tue, Dec 14, 2021 at 12:00 PM <opensim-dev-requ...@opensimulator.org> wrote: > Send Opensim-dev mailing list submissions to > opensim-dev@opensimulator.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > or, via email, send a message with subject or body 'help' to > opensim-dev-requ...@opensimulator.org > > You can reach the person managing the list at > opensim-dev-ow...@opensimulator.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Opensim-dev digest..." > > > Today's Topics: > > 1. Check if we are impacted by latest Zero-day exploiting Apache > Log4j logging library (Ai Austin) > 2. Re: Check if we are impacted by latest Zero-day exploiting > Apache Log4j logging library (Rory Slegtenhorst) > 3. Re: Check if we are impacted by latest Zero-day exploiting > Apache Log4j logging library (Ai Austin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 13 Dec 2021 19:38:31 +0000 > From: Ai Austin <ai.ai.aus...@gmail.com> > To: <opensim-dev@opensimulator.org> > Subject: [Opensim-dev] Check if we are impacted by latest Zero-day > exploiting Apache Log4j logging library > Message-ID: <61b7a166.1c69fb81.f9dbf.1...@mx.google.com> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > I have been told by the University it is under serious attack (as are > lots of other institutions and servers) by the latest Zero-day > exploiting Apache Log4j logging library... Does anyone know if our > logging using Log4net is impacted (or linked in some way to the > libraries) or that we might be vulnerable? > > here are the notes sent to those running servers by our tech team today... > > >I suspect that you will have heard of the latest zero-day exploit to > >hit the news - the Apache Log4j logging library, used by a large > >number of both open source and proprietary software, can be easily > >exploited to take control of vulnerable systems remotely. We are > >already seeing a large number of probes against the systems that we > >manage, testing for their vulnerability to this exploit. We are > >confident that your system(s) are similarly being probed. > > > >The University has put in place some protection against this > >vulnerability, but it is crude protection and expected to be worked > >around fairly swiftly. The only real protection is to take > >vulnerable systems off-line until they are patched. > > > >Identifying whether a system is vulnerable to this exploit is non > >trivial as Log4j is commonly shipped in a JAR file with an > >application - it is not just as simple as checking (with rpm or > >dpkg) which version of Log4j is installed on the system. > > > >The following web-site includes a list of software which is known to > >be affected - > >https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/. > > >Guidance from the National Cyber Security Centre is available at :- > >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability > > > > ------------------------------ > > Message: 2 > Date: Mon, 13 Dec 2021 20:54:50 +0100 > From: Rory Slegtenhorst <rory.slegtenho...@gmail.com> > To: opensim-dev@opensimulator.org > Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day > exploiting Apache Log4j logging library > Message-ID: > < > calagunukaptidafpvbqeoqvu2nf1kknstylom45luayaeaw...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Even though log4net and log4j are related (both are apache projects), the > bug is Java only. And even then, it's only log4j2 that's actually > vulnerable. > I sincerely doubt that .Net has JNDI support. > > Rory Slegtenhorst > rory dot slegtenhorst at gmail dot com > > > On Mon, Dec 13, 2021 at 8:39 PM Ai Austin <ai.ai.aus...@gmail.com> wrote: > > > I have been told by the University it is under serious attack (as are > > lots of other institutions and servers) by the latest Zero-day > > exploiting Apache Log4j logging library... Does anyone know if our > > logging using Log4net is impacted (or linked in some way to the > > libraries) or that we might be vulnerable? > > > > here are the notes sent to those running servers by our tech team > today... > > > > >I suspect that you will have heard of the latest zero-day exploit to > > >hit the news - the Apache Log4j logging library, used by a large > > >number of both open source and proprietary software, can be easily > > >exploited to take control of vulnerable systems remotely. We are > > >already seeing a large number of probes against the systems that we > > >manage, testing for their vulnerability to this exploit. We are > > >confident that your system(s) are similarly being probed. > > > > > >The University has put in place some protection against this > > >vulnerability, but it is crude protection and expected to be worked > > >around fairly swiftly. The only real protection is to take > > >vulnerable systems off-line until they are patched. > > > > > >Identifying whether a system is vulnerable to this exploit is non > > >trivial as Log4j is commonly shipped in a JAR file with an > > >application - it is not just as simple as checking (with rpm or > > >dpkg) which version of Log4j is installed on the system. > > > > > >The following web-site includes a list of software which is known to > > >be affected - > > > > https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/. > > > > >Guidance from the National Cyber Security Centre is available at :- > > >https://www.ncsc.gov.uk/news/apache-log4j-vulnerability > > > > _______________________________________________ > > Opensim-dev mailing list > > Opensim-dev@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > > > > > ------------------------------ > > Message: 3 > Date: Tue, 14 Dec 2021 10:10:55 +0000 > From: Ai Austin <ai.ai.aus...@gmail.com> > To: <opensim-dev@opensimulator.org> > Subject: Re: [Opensim-dev] Check if we are impacted by latest Zero-day > exploiting Apache Log4j logging library > Message-ID: <61b86db4.1c69fb81.c63e4.e...@mx.google.com> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > Fred Beckhsuen gave me some useful background on this... we use > Log4Net 2.0.8.0 in OpenSim 0.9.2.0 release and 0.9.21. Dev master, > and Fred says that before Log4Net 2.0.10 it has the same bug as Log4J > according CVE-2018-1285... > > https://github.com/advisories/GHSA-2cwj-8chv-9pp9 > > Fred also added that he did hear something about OpenSim not allowing > arbitrary anything to be injected into Log4Net. Maybe those in the > know could take a look at that. > > > > ------------------------------ > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > > > End of Opensim-dev Digest, Vol 75, Issue 2 > ****************************************** > _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev