- Woo: ?
- Woo: What’s that colored crack on the garage wall?
- Sandra: Oh, it’s probably nothing.
- Jeffy: Look, Dolly! Godless heathens that need to be purged!
- Sandra: Oh no! It was a security hole that allows remote comic execution!!
|
|
Currently on hiatus :-(
 S&W in German/auf DeutschGaia (my fantasy comic) Scarlet (my science fantasy comic) |
|
| Sandra and Woo is supported by our patron Achim. Thank you very much! |
|
![[1308] Security Hole](/comics/2021-12-16-1308-security-hole.png "[1308] Security Hole")
[1308] Security Hole
└ posted on Thursday, 16 December 2021, by Novil
Click here to see the comments!
Sandra and Woo by Oliver Knörzer is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. See the About page for details.
Privacy Policy | Impressum | © 2008 – 2024 Oliver Knörzer
COLOUR IS BACK
What.
Never did trust those “innocent” Family Circus kids, who somehow were able to communicate regularly with their grandpa’s spirit, visiting from Heaven. Something’s just not… right about that.
For those unaware (and those in the future) the “log4j” vulnerability was announced about 2 days ago and every IT person just fucking SIGHED at the same time as they knew they may have to work through until Christmas Eve night.
A crack in the skin of the universe??
Wibbly-wobbly, timey-wimey….
@ Sam:
Prisoner 0 has escaped!
Sounds like something asking for a *tap on the shoulder*.
Mr. Random wrote:
I’ve discovered it only yesterday night, and you don’t know how happy I am to have only one Java service in my stack!
@ Belinde:
And they said: “reuse code”, “don’t develop your own logging solution”
Oh how we laugh now!
andowero wrote:
This shows the huge importance of diversity in an ecosystem. This apply not only in biology.
@ Mr. Random:
What is christmas?
Working in necessary IT we are open 24/366 (We don’t even close on 29th Febuary)
One thing that i always notice during these end of year times, bosses prepare more food and gifts. Yet i can never find them to thank them in person until the new year..
@ eledore:
They don’t actually prepare more. You just get what they don’t need while they’re on vacation 😉
@ andowero:
you are assuming that what you would build yourself is of comparable quality and less vulnerable and/or buggy… which given the amount of work going into libraries like that is somewhat unlikely
and for those who have fairly current versions of frameworks and libraries, updating to a fixed version is relatively easy (generally just specifying a different version number in maven)
the real pain is for those whose versions are so far out of date that they have to deal with breaking changes… and its even worse when you dont even have automatic dependency management
@ New Number 2:
Was looking for that comment hahaha.
Rap tap tap
@ Sharien:
@andowero is right. Installed base is paramount for automated attacks, like worms in the past, or “push button” tools today. On the other hand if I write my own logger or SSL layer, it’s probable it will have worse security than Log4j or OpenSSH, yes. But hackers will have to learn the vulnerabilities specific to them. And if I’m a “nobody”, it’s probable they won’t find it worth the effort.
Finding vulnerabilities is hard. You only make it affordable with a big installed base (see how attacks have moved from Windows to Android and iOS, leaving Mac OS alone). Remember that, nowadays, malware is an industry. The more devices and intranets I can get into, the more ransoms I will get paid!
@ Grijan:
Professional hacker here. Don’t develop software yourself without knowing what you do and put it into the internet. Lets take a web application which has one or two SQL injections and an unchecked file upload. Vulnerabilities in such software can be easily found with automated tools. The server is then potentially a great door into the internal network which will be manually exploited for profit.
What happened to that battle of the bands arc?
About time Woo showed up. He’s in probably less than a dozen strips this year with big gaps between appearances.
Should’ve just used System.out.println().
Matter of whether they’re on the same page or not.
Next page. . . Sgt. Tarkus, of the Blood Ravens is gonna pop out of the rift. . .
(for the those going “huh?”, I bring this link (may it, in the Emperor’s Name, work): https://www.reddit.com/r/Warhammer40k/comments/797auj/found_this_on_familycircuscom_unaltered/
@ Aui:
Professional security person here, though…
As long as you know what vulnerabilities to block (make sure your security and security dev team is well trained and attends day seminars twice a month at least, and their standups involve reading the news about the latest bugs), and all your data passes through a single bottleneck location where you can do sensitization, and you get regular penetration testing, knock yourself out.
Too many libraries have individual vulnerabilities, which means if you’re relying exclusively on your own code, you can update it immediately without having to wade into some library. It’s easier to maintain one endpoint design you design yourself rather than maintain functionality of six thousand libraries that may or may not be updating regularly. Also, if you force hackers to write hacks *specifically* for your site instead of using an out-of-box solution, that’s an extra layer of security.
That said, there is the something to the adage of “Don’t roll your own security”, specifically that thing is having someone else manage your security is really good if you’re bad at it, and also gives you someone to sue if it fails, which is really important to the bean counters.
Why is everybody always so down on us godless heathens?
andowero wrote:
Java is a security hole. We all said so 25 years ago when Sun first released it.
And today on “Crossovers that I never expected to see” we have Sandra and Woo x Family Circus.
@ Algiz:
How many people are maintaining log4j? IIRC Heartbleed happened because openSSL was used by everybody, but the code was maintained by just one guy.
Sharien wrote:
log4j 1 is unaffected … just saying … 🙂
We have just one Java application and it doesn’t use log4j.
@ Sharien:
The log4j vulnerability is in a worthless “load plugin from format string” feature. If you rolled your own you’d be very unlikely to want or have time to implement such things.
@ Mr. Random:
Thank what ever god is out there that my application isn’t on apache servers and doesn’t even use Java. It feels so great just copy and pasting the same response to everyone asking that No, we are not affected. Yes, we checked.
@ CrazyCatGuy:Because you can’t handle the contradictions that us God-havingheathens deal with daily.
Aw crap, it’s Bacon Hair and the other one.
All right, all right. Don’t panic. There are procedures for this. They’re OLD procedures, but they should still work. It’s not like the strip has changed in the last 30 years.
First, take out your Jar of Oing and demand that they return to Uncle Roy’s cabin. Then empty the jar while insisting that poop holds the tent wher it is. That SHOULD banish them back to the Red Zone.
…and if anyone gets these references it will make my MONTH.
The hole remember me to all night laundry. well, the time rapture is evil green but anyway
@ andowero:
They also say “sanitize your input” (remember “little bobby tables”?). If you do not pass external data verbatim to log4j, you are fine.
HAHAHAHA. Larissa! Educate them on what that term Actually means would you?
Meanwhile…. *Boops Woo’s nose. Playtime!
You know, we never see Everett True, or terrible-tempered Mr. Bang . . . I’m just saying.
rpr wrote:
“Sanitize your input” is one of the biggest mistakes the security devs could have ever said; it leads to the weird horrific flaws that will get executed, because it relies on developers to correctly sanitize all input, everywhere they use that library.
Better libraries separate code and data entirely, such as parameterised sql: there is the sql string, and placeholders where parameters should be, which are only ever treated as data.
Unfortunately, the reason the log4j vulnerability exists (and why everyone is scratching their heads about it), is that log4j has a very similar separation of format and data… and then evaluate said data as code anyway.
No one is sanitizing the parameters they give to a logging library because no one is even expecting that it is treating it as anything other than unsafe data directly from user-input.
Even if they were expecting it, log4j doesn’t provide any means to sanitize data in the first place. If they did, it would become a performance trap, as string processing would always be performed even when a statement is never logged (such as Debug logs when minimum log level is Warning)
For reference, this is vulnerable in log4j 2.14.1:
logger.info(“Recorded comment on http://www.sandraandwoo.com for user {}”, username);
I would bet money that no other popular logging framework anywhere would do anything with the second parameter other than what is strictly required to write it somewhere.