All,
On 12/11/21 03:18, Mark Thomas wrote:
On 10/12/2021 22:17, James H. H. Lampert wrote:
A customer brought this to my attention:
https://www.randori.com/blog/cve-2021-44228/
I have no idea how (or if) Tomcat is affected. I have only the vaguest
idea what this vulnerability even *is.*
Can anybody here shed any light?
Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x)
have no dependency on log4j.
+1
Applications may have a dependency on log4j.
+1
-Dlog4j2.formatMsgNoLookups=true
This feature should have been disabled by default in the first place. :/
I have a few other comments for everyone who is losing their fscking
minds over this:
0. This isn't a 0-day, so stop calling it that.
1. Calm down. This isn't fscking heartbleed.
2. If you are using a recent Java version, you are fine. Remote
classloading of the type being used in these attacks was disabled by
default in Java 8u121[1] and similar-era (2017, people!) JREs.
2. Why is *anyone* allowing arbitrary outbound LDAP connections from
their servers? I'm honestly very confused and astounded that this is a
problem for network servers *at all* because any idiot should have this
in their firewall configuration:
OUTBOUND 389 -> DROP
OUTBOUND 636 -> DROP
In fact, everyone should have THIS:
OUTBOUND [stuff I actually use] -> ALLOW
OUTBOUND * -> DROP
The fact that this is causing "major problems" for the world is down to
one of two things:
1. There isn't actually any major problem at all
2. Admins everywhere don't actually know anything about security
-chris
[1] https://www.oracle.com/java/technologies/javase/8u121-relnotes.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
