Severe 0-day exploit in Java package "log4j2"
From: https://www.lunasec.io/docs/blog/log4j-zero-day/
Path of Exile isn't vulnerable to this, is it? Last bumped on Dec 14, 2021, 11:39:17 PM
|
|
Pretty much everything is. But I expect GGG and Tencent are expert enough to react appropriately.
https://linktr.ee/wjameschan -- everything I've ever done worth talking about, and even that is debatable.
Huh. My mace dude is now an actual cultist of Chayula. That's kinda wild. |
|
I've created another topic in "Help & Information" about this.
Because i think they (GGG) won't read too much in the offline section. Here's the link to my post: https://www.pathofexile.com/forum/view-thread/3221725 For such a severe issue (affecting probably billions of devices/applications/software/etc..), i'd appreciate any kind of information. and even if it is "under investigation". Last edited by as_69#6169 on Dec 12, 2021, 4:42:08 AM
|
|
why do you automatically think that they are using this java libary?
I not standard in any webserver configuration and their game is build in c++ so... where exactly would they use it? (and even there in most enterprise level linux distributions its already patched) edit: and how the hell would allow unfiltered response through firewalls xD outbound rules with package inpection is standard today. I do understand its serious business, but any serious IT expert has defenses in place. Current Build: Penance Brand God build?! https://pobb.in/bO32dZtLjji5 Last edited by tsunamikun#0433 on Dec 12, 2021, 7:48:00 PM
|
|
It's really a java thing. Eventhough what exists under the java wrap of Log4j is used in other environments, the RCE vulnerability requires java. And that's basically the dangerous one. A krangled JNDI LDAP lookup (basically looking for accounts) will only cause a DDOS.
Well GGG doesn't use java, for starters. And if they did use log4j they wouldn't be able to say. That's bad security practice. Better to say nothing in this case (no sarcasm). Lastly these lookups are terrible design. But for once I'll keep the rant to myself. Have a nice time. Did you try turning it off and on again?
|
|