AmyMalik
is i2p affected by the log4j RCE, i.e. does i2p feed lines not wholly under its control to log4j?
dr|z3d
AmyMalik: no.
AmyMalik
No as in, i2p does not use log4j+
AmyMalik
?*
dr|z3d
correct.
AmyMalik
awesome
AmyMalik
Irc2PGuest35925:
AmyMalik
wodey, your id is leaking
zzz
eche|off, 12 hours after your question (and my answer) I got on twitter for the first time today and learned why you asked about log4j
zzz
somebody should have pulled the damn fire alarm and told somebody (me) what was going on
zzz
or somebody like zab who could also have investigated
zzz
in particular there's also the plugins that need to be gone through
zzz
bote and jwebcache appear to use it
zzz
although both appear to be using ancient non-vulnerable version
zzz
you all failed collectively to either do your own research or give me any info on a potential crisis
AmyMalik
;-;
zzz
the question is not 'does i2p use log4j' but 'do we or any of our dependencies (jetty, tomcat, etc) or any plugin or any of their dependencies or any other i2p java application or their dependencies use it'
zzz
oh and by the way drop EVERYTHING else to answer the question
AmyMalik
i should've gone looking.. ;-;
AmyMalik
sorry zzz ;-;
zzz
y'all can use grep just as well as I can :)
eyedeekay
Just sent you an email zzz
eyedeekay
The only jar I see it in is jetty-i2p.jar
eyedeekay
This JNDI lookups thing, does it even have any value to us?
eyedeekay
I checked in a change to log4j.properties to disable it but I'll back it out if it should stay on
zzz
- where do you see it in jetty-i2p.jar?
zzz
- how does your change protect our users?
zzz
and if you think that change does protect users, then we should be doing an emergency release tonight, right?
eyedeekay
In a config file named log4j.properties and I don't think anything else
eyedeekay
I'm not convinced we're directly vulnerable to this one
eyedeekay
But the change should protect users from the class of vulnerability "JNDI Injection" in log4j by disabling the corresponding feature, "JNDI lookups"
eyedeekay
If we were to be vulnerable, I think the most obvious way would be if the eepSite was configured to log headers somehow, and they recieved a header containing the crafted string
zzz
I could have spent all day on this if eche or anybody had told me. a little late now
zzz
your change looks harmless
zzz
I haven't found any problems yet
zzz
bote and jwebcache come the closest
zzz
but haven't checked to see what jetty and tomcat and ant have to say on the topic
eyedeekay
I had a look at jetty, it's difficult to follow but I don't think jetty 9.3.29 with our configuration will use log4j
eyedeekay
Apparently jetty<10 uses it's own logging thing: stackoverflow.com/a/25794109
eyedeekay
But I don't know for sure, it would appear that if slf4j is in the classpath, it might use slf4j which might in turn be using log4j
zzz
I'm pretty confident that jetty and tomcat are in the clear. if you folks would like to survey all the known plugins that would be great
zzz
so far all i've found is bote and jwebcache on 1.x
zzz
*** afk ***
eyedeekay
I will keep looking, agree with you so far
dr|z3d
> Java 8u121 protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
eyedeekay
unzipped and grepped all the plugin files I have
eyedeekay
only other log4j user I found was pebble, which uses log4j 1.2.15 which is not affected.
eyedeekay
Further it is already anti-recommended due to vulnerabilities in pebble 2.4
dr|z3d
pebble's dead, jim!
eyedeekay
Yeah I'm pretty sure it won't even work
dr|z3d
speaking of blogs, lektor's another interesting static bog generator which the torproject's migrating over to.
eyedeekay
Ooh. That doesn't look bad at all for a blog
dr|z3d
thought it might tickle you :)
eyedeekay
As long as I can convince it HOME=$HOME/.i2p/plugins/lektor in some way I don't see it being too challenging to pluginize
eyedeekay
Apparently by default it installs itself to a place determined by the user's $HOME
Pajamas
i need to take a shower
Pajamas
but im too lazy too :(
dr|z3d
lektor or publii.. nice to have choices :)
zzz
log4j thread: zzz.i2p/topics/3214
val_
zzz: I've added wrapper.java.additional.5=-Dlog4j2.formatMsgNoLookups=true to my wrapper.config