People do design reviews?
bill

Good question. It should not have.
There are some code in loggers, but the architecture is pretty simple:

|--multiple formatters
core--|
|--multiple appenders

Arne

https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers

Arne

It's a full remote command execution flaw (RCE), meaning that pretty
much anything that the Java app has access to is also exposed to the
attacker, if the attacker can get the exploit text string to the
logging software.

Access to the vulnerable logger can be via host name string, by HTTP
headers, or by embedding the text into other data streams, depending on
the app involved. It varies. Widely.

What can you do with the vulnerability? There are reportedly already
cryptocurrency miners and ransomware efforts underway using the
vulnerability, and I expect we'll see a long tail of more...

An intro to the log4j vulnerability from the Swiss government:
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/


List of affected products (re-post) :
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

One of the security vendors with some info:
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/

There's a Python detection tool at that last URL, though I've not
checked to see if that might be reasonably portable to OpenVMS.

Been working with some OpenVMS folks on this, and y'all with Java
installed and Java apps in use will want to take a look at what's in
those jars. Or if you have Java installed and don't need it, best
remove it.

The vulnerability is in the processing of log messages in
a logging framework.

To exploit the attackers need to get a specific message
logged.

And that is usually pretty easy. The primary purpose of logging
is to help troubleshooting problems and to do that it makes sense
to log user input.

It does not matter how the user input comes into the system.

The two most common ways are probably:
* web service calls coming in from the internet
* web form post coming in from internet

But it could also be an insider instead of internet.

And it could be plain socket or a message queue or a file
instead of HTTP(S).

Because the problem is in the data content, then traditional
isolation often doesn't help.

--firewall--Java web service with log4j

--firewall--Apache httpd proxy--firewall--Java web service with log4j

--firewall--Apache httdd proxy--firewall--PHP web service--message
queue--Java backend with log4j

--firewall--Apache httdd proxy--firewall--PHP web
service--database--Python job--message queue--Java backend with log4j

does not make a difference if that Java code calls log4j with
user input with malicious content then bad things can happen.

To move on with the exploit the Java code need to be able to
reach a server controlled by the attacker, but many places
only have strict control of inbound traffic not outbound traffic.

And the Java code need to have access to something. But if the
code is intended to do something on behalf of the user then it
obviously need to have access to user data. That it may not have
access to modify OS does not stop bad things from happening.

Arne