nanog mailing list archives

Re: Log4j mitigation

From: "Jörg Kost" <jk () ip-clear de>
Date: Mon, 13 Dec 2021 12:00:37 +0100

It's not true.

It can pull from other ports, URLs, make DNS calls, and seems toevaluate even from environment variables.

It's a "virtual machine".

On 13 Dec 2021, at 11:54, Jean St-Laurent via NANOG wrote:

Well if you look to the right you won't see it, but if you look to theleft you will see it.
Meaning, that for a successful attack to work, the infected host needsto first download a payload from ldap.
And ldap runs on port 389/636.
You probably can't see the log4j vulnerability in the https, but youshould be able to see your servers querying weird stuff on internet onport 389/636.
Just don't allow your important hosts to fetch payload on internet onport 389/636.
Et voila! Look to the left, not to the right.

Jean

Current thread:

Log4j mitigation Andy Ringsmuth (Dec 10)
- Re: Log4j mitigation Jared Mauch (Dec 11)
  - Re: Log4j mitigation Owen DeLong via NANOG (Dec 13)
    - Re: Log4j mitigation Jared Mauch (Dec 13)
    - Re: Log4j mitigation Carsten Bormann (Dec 13)
    - Re: Log4j mitigation Alain Hebert (Dec 13)
    - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation Nick Hilliard (Dec 11)
  - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation Jörg Kost (Dec 13)
    - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation Jörg Kost (Dec 13)
    - Re: Log4j mitigation Saku Ytti (Dec 13)
    - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation Saku Ytti (Dec 13)
    - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation Jörg Kost (Dec 13)
    - Re: Log4j mitigation Jörg Kost (Dec 13)
    - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation Joe Greco (Dec 13)

(Thread continues...)