‘Twas the night before Christmas
When all through the house
Not a creature was stirring,
not even a mouse…
As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff.
There may be plenty of mice stirring all through the IT house right up to Christmas Eve…
…because that’s the deadline set by the US Cybersecurity and Infrastructure Security Agency (CISA) for patching the infamous Log4Shell vulnerability, a dangerously exploitable flaw in Apache’s widely used Log4j (Logging for Java) programming toolkit.
Since news first broke of the problem on 09 December 2021, Apache has a-patched the code not once but three times, variously fixing CVE-2021-44228 with version 2.15.0, quickly followed by 2.16.0 to fix a related bug dubbed CVE-2021-45046, foillowed quickly yet again by 2.17.0 to deal with CVE-2021-45105.
Why the pressure from CISA? Why the rush when we’re supposed to enjoying a global holiday season? Why not wait until New Year and deal with things then?
Here’s why your sysadmins are taking one (three, actually) for the team…
(If you can’t read the text clearly here, try using Full Screen mode, or watch directly on YouTube. Click on the cog in the video player to speed up playback or to turn on subtitles.)
LEARN HOW TO FIX IT
UNDERSTAND THE ISSUES YOURSELF
LEARN HOW CYBERCRIMINALS ARE USING IT TO ATTACK
DIG INTO THE VULNERABLE CODE WITH SOPHOS LABS
Ralph Hartwell
A very good presentation about this problem. Even though I don’t have to deal with this particular issue, I found the video fascinating and well presented. Thank you so much for taking the time to put this together for our education.
Paul Ducklin
It’s a pleasure. Glad you enjoyed it.
Bill Justesen
Incredible video and very enlightening. You gave me a bit more to chew on that I had initially suspected with the vulnerability. While watching it, I wondered how you set everything up with the different servers so that I could duplicate it. I stumbled upon the Log4j Scanner project by CISA. (https://github.com/cisagov/log4j-scanner) That will do. And then…when you mentioned you wanted an RPN calculator, I had to chuckle and then immediately search for it. While I’m more of a fan of the 12C, I downloaded the 42S because it had other functions I can use as well. Cheers for both the video and the Windows calc replacement.
Paul Ducklin
Try this:
https://nonpareil.brouhaha.com/
It’s a late-70s/early-80s HP calculator simulator (it simulates the original HP calculator CPUs, and runs the *actual HP firmware* – at the original speed, with all the original bugs – extracted from models where the ROMs weren’t copyrighted). It can simulate an HP-12C, though you will need to find the version-before-last to get hold of the HP-12C ROM file (and the HP-16C, my favourite HP ever – mine finally broke about 10 years ago).
It can do an original HP-35, an HP-67, the HP-41 range, and can even pretend to be the weird-and-wonderful HP-01 wristwatch calc that was so much better in the brochure than in real life.
The coolest thing about Free42 is just how perfectly it looks and feels on iOS or Android phones. For those interested, it’s here:
https://thomasokken.com/free42/
(You probably know that the HP-12C has remained so popular with financial folks that it is still made and sold. They go brand new for about £60 these days.)