log4j Log4j bug questions.

[rojobahr]

If this is the wrong category to post this, then I will be happy to re-post it in the correct category.

 

So, call me an uneducated idiot all you want but I am a semi-enthusiast computer user and I have a few questions about the very recent and very dangerous log4j bug.

 

1. Is this something that I, who is not a programmer or developer at all, should even be worrying about? I ask because the media absolutely loves creating fear and panic if it means more clicks, so I'm hesitant to trust anything said by any media outlet.

2. This is a Java specific bug, so anything that doesn't use Java in any way is safe from it. Is this correct?

3. Without considering connecting to an attacked/unpatched web-server, can only individual .jar files that have log4j in them be used as an attack vector into one's computer?

4. What recourse is there if one of the things/programs I have on my computer has log4j just is either already abandoned or updated very infrequently? Can I manually block that program from interacting with the internet through some firewall stuff?

 

Using File Explorer's search, the only .jar files that are on my computer (C drive, at least) are a few from VLC (which I just updated to the latest version, at time of writing), some from RPCS3 (which I also just updated to the latest version), a Java installation of a version I'm not sure about (path is "C:\Program Files (x86)\Java\jre1.8.0_281") probably from a past Minecraft installation that I no longer have, an Imperium Galactica source port called OpenIG that is 100% Java (the one I'm most worried about right now), and an installation of IBM's Semeru Runtime that I think is a Java emulator that the Github page for OpenIG said to install to run OpenIG (path is "C:\Program Files\Semeru\jdk-17.0.1.12-openj9", I also just installed the latest version, but the site didn't have a release date on it).

 

In short, how fucked am I?

 

Thank you.

[TheBean]

heres what I know from my very limited knowledge. this bug is specific to a plugin in java used for creating logs and metrics for java applications. So, if you dont have the plugin (or java) installed, you are not venerable to it.

if somebody did gain access to it, they get root access. so unless they set up some sort of app that runs when you turn your computer on, restarting it should remove their access.

for somebody to use log4j against you, a java application has to be running on it and also be exposed to the internet. 

 

take everything I say with a grain of salt. I do not know what im talking about

[Eigenvektor]

42 minutes ago, rojobahr said:

1. Is this something that I, who is not a programmer or developer at all, should even be worrying about? I ask because the media absolutely loves creating fear and panic if it means more clicks, so I'm hesitant to trust anything said by any media outlet.

If you use (server) software that includes a vulnerable version of Log4j and you put this online, you are potentially vulnerable. Big companies probably have more to fear, since they are the more juicy target, but you'll have people scanning any computer they can reach for this vulnerability, so they're still a potential threat to you.

 

42 minutes ago, rojobahr said:

2. This is a Java specific bug, so anything that doesn't use Java in any way is safe from it. Is this correct?

This is a bug specific to the Log4j library, that is used by a very large number of Java projects. So in a sense it is Java specific.

 

42 minutes ago, rojobahr said:

3. Without considering connecting to an attacked/unpatched web-server, can only individual .jar files that have log4j in them be used as an attack vector into one's computer?

If you run that .jar file and it opens a port to the internet (say, a Minecraft server), then yes you are vulnerable to attack. If you just run local software there's virtually no danger of being exploited.

 

42 minutes ago, rojobahr said:

4. What recourse is there if one of the things/programs I have on my computer has log4j just is either already abandoned or updated very infrequently? Can I manually block that program from interacting with the internet through some firewall stuff?

Either don't run the software or use a firewall to block its ports. But that may render the software "useless" if we're talking about something like a Minecraft server. Without internet access it has essentially no purpose, unless you just want to play games with people on your local network.

 

42 minutes ago, rojobahr said:

an Imperium Galactica source port called OpenIG that is 100% Java (the one I'm most worried about right now), …

If this is a local only game, you have nothing to worry about. If it is an online game and it includes Log4j, you may be vulnerable. The simple fact that it is Java software does not make you vulnerable. It must use a vulnerable version of the Log4j library and be reachable over the internet.

 

~edit: I checked out out their repository, and I can't find any mention of Log4j in their java files, so it doesn't seem to use it, which means it should be safe to use.