IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2021/12/11
@eyedeekay
&kytv
&zzz
+R4SAS
+RN
+RN_
+dr|z3d
+hk
+not_bob
+orignal
+postman
+wodencafe
Arch
DeltaOreo
FreeRider
FreefallHeavens
Irc2PGuest28511
Irc2PGuest64530
Irc2PGuest75862
Irc2PGuest77854
Nausicaa
Onn4l7h
Onn4|7h
Over
Sisyphus
Sleepy
Soni
T3s|4_
Teeed
aargh3
acetone_
anon4
b3t4f4c3
bak83
boonst
cancername
cumlord
dr4wd3
eyedeekay_bnc
hagen_
khb_
plap
poriori_
profetikla
r3med1tz
rapidash
shiver_1
solidx66
u5657
uop23ip
w8rabbit
weko_
x74a6
AmyMalik is i2p affected by the log4j RCE, i.e. does i2p feed lines not wholly under its control to log4j?
dr|z3d AmyMalik: no.
AmyMalik No as in, i2p does not use log4j+
dr|z3d correct.
AmyMalik awesome
AmyMalik Irc2PGuest35925:
AmyMalik wodey, your id is leaking
zzz eche|off, 12 hours after your question (and my answer) I got on twitter for the first time today and learned why you asked about log4j
zzz somebody should have pulled the damn fire alarm and told somebody (me) what was going on
zzz or somebody like zab who could also have investigated
zzz in particular there's also the plugins that need to be gone through
zzz bote and jwebcache appear to use it
zzz although both appear to be using ancient non-vulnerable version
zzz you all failed collectively to either do your own research or give me any info on a potential crisis
zzz the question is not 'does i2p use log4j' but 'do we or any of our dependencies (jetty, tomcat, etc) or any plugin or any of their dependencies or any other i2p java application or their dependencies use it'
zzz oh and by the way drop EVERYTHING else to answer the question
AmyMalik i should've gone looking.. ;-;
AmyMalik sorry zzz ;-;
zzz y'all can use grep just as well as I can :)
eyedeekay Just sent you an email zzz
eyedeekay The only jar I see it in is jetty-i2p.jar
eyedeekay This JNDI lookups thing, does it even have any value to us?
eyedeekay I checked in a change to log4j.properties to disable it but I'll back it out if it should stay on
zzz - where do you see it in jetty-i2p.jar?
zzz - how does your change protect our users?
zzz and if you think that change does protect users, then we should be doing an emergency release tonight, right?
eyedeekay In a config file named log4j.properties and I don't think anything else
eyedeekay I'm not convinced we're directly vulnerable to this one
eyedeekay But the change should protect users from the class of vulnerability "JNDI Injection" in log4j by disabling the corresponding feature, "JNDI lookups"
eyedeekay If we were to be vulnerable, I think the most obvious way would be if the eepSite was configured to log headers somehow, and they recieved a header containing the crafted string
zzz I could have spent all day on this if eche or anybody had told me. a little late now
zzz your change looks harmless
zzz I haven't found any problems yet
zzz bote and jwebcache come the closest
zzz but haven't checked to see what jetty and tomcat and ant have to say on the topic
eyedeekay I had a look at jetty, it's difficult to follow but I don't think jetty 9.3.29 with our configuration will use log4j
eyedeekay Apparently jetty<10 uses it's own logging thing: stackoverflow.com/a/25794109
eyedeekay But I don't know for sure, it would appear that if slf4j is in the classpath, it might use slf4j which might in turn be using log4j
zzz I'm pretty confident that jetty and tomcat are in the clear. if you folks would like to survey all the known plugins that would be great
zzz so far all i've found is bote and jwebcache on 1.x
zzz *** afk ***
eyedeekay I will keep looking, agree with you so far
dr|z3d > Java 8u121 protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
eyedeekay unzipped and grepped all the plugin files I have
eyedeekay only other log4j user I found was pebble, which uses log4j 1.2.15 which is not affected.
eyedeekay Further it is already anti-recommended due to vulnerabilities in pebble 2.4
dr|z3d pebble's dead, jim!
eyedeekay Yeah I'm pretty sure it won't even work
dr|z3d speaking of blogs, lektor's another interesting static bog generator which the torproject's migrating over to.
eyedeekay Ooh. That doesn't look bad at all for a blog
dr|z3d thought it might tickle you :)
eyedeekay As long as I can convince it HOME=$HOME/.i2p/plugins/lektor in some way I don't see it being too challenging to pluginize
eyedeekay Apparently by default it installs itself to a place determined by the user's $HOME
Pajamas i need to take a shower
Pajamas but im too lazy too :(
dr|z3d lektor or publii.. nice to have choices :)
val_ zzz: I've added wrapper.java.additional.5=-Dlog4j2.formatMsgNoLookups=true to my wrapper.config