Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log4J Security Risk - muWire affected? #115

Open
JamesOlvertone opened this issue Dec 10, 2021 · 1 comment
Open

Log4J Security Risk - muWire affected? #115

JamesOlvertone opened this issue Dec 10, 2021 · 1 comment

Comments

@JamesOlvertone
Copy link

There is a new Zero-Day-Exploit in Java systems possible, called "Log4-Shell" on systems which use Apache Log4J.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

If I grep over the source I get some hits but I think muWire does not use it really (?)

There are some workarounds:
use -Dlog4j2.formatMsgNoLookups=true
or
delete the specific class: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
or
upgrade to newest Log4J 2.5,

Some Java 8 releases have deactivated some features by default in JNDI that this exploit uses.

Also read this:
https://github.com/0x0021h/apache-log4j-rce/blob/main/poc/src/main/java/log4j.java

Collection of some Sites where the exploit worked:
https://github.com/YfryTchsGD/Log4jAttackSurface
@zlatinb
Copy link
Owner

zlatinb commented Dec 11, 2021

MuWire uses the JUL (java.util.logging) logger via the @Log Groovy annotation. The embedded I2P router uses it's own logging system which is redirected to JUL on startup.

If you unzip the .zip distribution of MuWire you will see all the jars it depends on; log4j isn't one of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zlatinb @JamesOlvertone