java there's a major security exploit

General discussion and socializing.

java there's a major security exploit

Postby SavageFox » Sun Dec 26, 2021 10:31 pm

you guys should make sure you have the most up-to-date version of java there's a major security exploit


https://www.youtube.com/watch?v=Z22O5uEsF6U
this video might be talking about Minecraft but this exploit affects everything that runs Java
User avatar
SavageFox
 
Posts: 151
Joined: Sat Jun 19, 2021 12:55 am

Re: java there's a major security exploit

Postby shubla » Mon Dec 27, 2021 12:13 am

There is?
I thought that only some certain versions of log4j with some certain flag were affected.
Have not looked into the details, but I doubt that a java update keeps you safe if the vulnerability is in the library itself and in java.

Its nothing too surprising though.
For a long time I've had some thoughts about some popular npm packages and projects for example (npm being the worst example) with a face like this, having these hundreds or thousands of dependencies on even quite simple projects. Most of the libraries have been implemented by god knows who, maintained by god knows who.
With their security mostly based on obscurity, its only question of time when more of stuff like this pops up.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Re: java there's a major security exploit

Postby telum12 » Mon Dec 27, 2021 1:29 am

Haven doesn't use log4j directly, though some deps might.

Shubla spend a fucking minute thinking or educating yourself before you post your every single thought on the forums, please. There are Java updates that mitigate the code exec to some degree. Your obvious thoughts about supply chain issues in npm packages has absolutely nothing to do with the log4j vulns.
MagicManICT wrote:To me, being called a pedo is exactly like being called gay.

Jalpha wrote:She must have been in heat bro. She was literally fanging for it. Literally posting repeatedly in chat, in all caps "DO IT! POST YOUR DICK! THERE'S NO WAY IT'S 7 INCHES!"

How could any hot-blooded male deny such a request under the circumstances.
User avatar
telum12
 
Posts: 426
Joined: Mon Mar 12, 2012 10:36 pm

Re: java there's a major security exploit

Postby mvgulik » Mon Dec 27, 2021 3:57 am

Image
... What else is new ... :P
mvgulik
 
Posts: 3742
Joined: Fri May 21, 2010 2:29 am

Re: java there's a major security exploit

Postby MagicManICT » Mon Dec 27, 2021 8:09 am

I've messaged loftar for a comment on this. If it has no direct effect on the Haven community, it's getting moved to the Inn. It's an important bit of news more than a few here should be concerned with (as I'm sure there's at least a few MC players here), but I'm going to make an educated guess that Haven players don't have to be concerned with this exploit unless a private client is using this library for performance logging. Even then, from what I've read so far, that would require someone to gain access to communications with that client directly. If that's the case, you may have bigger issues than this particular exploit. I may not be understanding the description of the issue properly and drawing the wrong conclusion. Please correct me if I am.
Opinions expressed in this statement are the authors alone and in no way reflect on the game development values of the actual developers.
User avatar
MagicManICT
 
Posts: 18437
Joined: Tue Aug 17, 2010 1:47 am

Re: java there's a major security exploit

Postby shubla » Mon Dec 27, 2021 10:16 am

telum12 wrote: some deps might.

telum12 wrote: thoughts about supply chain issues in npm packages has absolutely nothing to do with the log4j vulns

ok mr iq 9000 :roll: :roll: :roll: :roll: :roll:
MagicManICT wrote:I've messaged loftar for a comment on this. If it has no direct effect on the Haven community, it's getting moved to the Inn. It's an important bit of news more than a few here should be concerned with (as I'm sure there's at least a few MC players here), but I'm going to make an educated guess that Haven players don't have to be concerned with this exploit unless a private client is using this library for performance logging. Even then, from what I've read so far, that would require someone to gain access to communications with that client directly. If that's the case, you may have bigger issues than this particular exploit. I may not be understanding the description of the issue properly and drawing the wrong conclusion. Please correct me if I am.

What you need to do depends on what things are logged by it. If some HnH client used it I'd imagine that the most likely way to exploit it was if one logged all widget messages or something with it, along with their parameters, possibly resulting in ability to exploit the vulnerability via village/realm names and in game chats. Realm chat for example. Or any other input provided by user that could be logged by the client.
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Re: java there's a major security exploit

Postby telum12 » Mon Dec 27, 2021 12:18 pm

shubla wrote:
telum12 wrote: some deps might.

telum12 wrote: thoughts about supply chain issues in npm packages has absolutely nothing to do with the log4j vulns

ok mr iq 9000 :roll: :roll: :roll: :roll: :roll:


Do you unironically think jogamp or some other dep using log4j is equivalent to the immense dependency trees created by npm?

Anyway, I feel like you should be on this given that you have a public client. Oh wait, you don’t care if your client leaks data.
MagicManICT wrote:To me, being called a pedo is exactly like being called gay.

Jalpha wrote:She must have been in heat bro. She was literally fanging for it. Literally posting repeatedly in chat, in all caps "DO IT! POST YOUR DICK! THERE'S NO WAY IT'S 7 INCHES!"

How could any hot-blooded male deny such a request under the circumstances.
User avatar
telum12
 
Posts: 426
Joined: Mon Mar 12, 2012 10:36 pm

Re: java there's a major security exploit

Postby MagicManICT » Fri Jan 14, 2022 9:42 am

Bumping this waiting to hear from loftar on the matter.

As an aside: some goings on over this from people on getting funding support for open source software to better keep things updated, patched, and otherwise prevent exploits as expediently as possible, possibly using government funding or other sources outside of traditional open source funding and coding lines. Article originally on Gizmodo (spotted via MSN): https://www.msn.com/en-us/news/technolo ... InAppShare
Opinions expressed in this statement are the authors alone and in no way reflect on the game development values of the actual developers.
User avatar
MagicManICT
 
Posts: 18437
Joined: Tue Aug 17, 2010 1:47 am

Re: java there's a major security exploit

Postby jorb » Fri Jan 14, 2022 12:01 pm

We do not use log4j, and are not at risk from this exploit.
"The psychological trials of dwellers in the last times will be equal to the physical trials of the martyrs. In order to face these trials we must be living in a different world."

-- Hieromonk Seraphim Rose
User avatar
jorb
 
Posts: 18263
Joined: Fri Apr 03, 2009 7:07 am
Location: Here, there and everywhere.

Re: java there's a major security exploit

Postby shubla » Fri Jan 14, 2022 1:44 pm

jorb wrote:We do not log

we know
Image
I'm not sure that I have a strong argument against sketch colors - Jorb, November 2019
http://i.imgur.com/CRrirds.png?1
Join the moderated unofficial discord for the game! https://discord.gg/2TAbGj2
Purus Pasta, The Best Client
User avatar
shubla
 
Posts: 13043
Joined: Sun Nov 03, 2013 11:26 am
Location: Finland

Next

Return to The Inn of Brodgar

Who is online

Users browsing this forum: Google [Bot] and 9 guests