CVE-2021-44228 - Log4j RCE 0-day
- Thread starter Goned75
- Start date
ColinTaylor
Part of the Furniture
Asus/Merlin don't use Apache's Log4j.
Last edited:
No but millions of servers do and that has left everyone in danger .
Even a novice can ( and they are ) use this exploit to enter servers and PC's.
It is decribed as "probably the worst threat in the history of modern computing."
RMerlin
Asuswrt-Merlin dev
I highly doubt that...
Personally, I never even heard of log4j before this CVE became publicized. I use cronolog for servers that have heavy web traffic logging.
jasonmicron
New Around Here
Came here to ask this same question. Ubiquiti routers are definitely affected:
We use those at our office, which made me wonder if the ASUS firmware also utilizes the log4j library.
Just because the firmware isn't Java-based doesn't mean that the underlying code fails to use log4j in some way.
I suppose this is really a question for ASUS and not Merlin. I would say there is a greater than zero chance that ASUS uses log4j, but I don't know for certain.
We use those at our office, which made me wonder if the ASUS firmware also utilizes the log4j library.
Just because the firmware isn't Java-based doesn't mean that the underlying code fails to use log4j in some way.
I suppose this is really a question for ASUS and not Merlin. I would say there is a greater than zero chance that ASUS uses log4j, but I don't know for certain.
jasonmicron
New Around Here
You're misunderstanding the issue. You can log whatever you want in your own way. The issue is the underlying software provided from ASUS.
This probably isn't the "worst threat in modern computing" but it is certainly in the top 5. The magnitude of this is pretty heavy. A lot of software engineers are probably on their 14th cup of coffee right now patching their software to mitigate this issue.
IBM Randori Recon
Learn about attack surface management SaaS that continuously monitors to look for unexpected changes, blind spots, misconfigurations and process failures.
www.randori.com
Edit: Just realized I quoted Merlin himself. As if you don't already know better than the rest of us how the ASUS software works lol. Apologies.
If you think we're good, then we're good.ColinTaylor
Part of the Furniture
@jasonmicron See post #3.
jasonmicron
New Around Here
Yep - but admittedly I haven't looked at the code ASUS developed to know whether or not they use log4j. I'm feeling positive that Merlin has, and he says we're good. So that's good enough for me, for now.
We don't know for sure though unless we see the source, and I'm assuming the underlying firmware code from ASUS is proprietary and not open. That's my only hesitation.
Edit: All we really have access to is the OS layer. Who knows what is built into the kernel.
Last edited:
RMerlin
Asuswrt-Merlin dev
Yes, but people calling it "the worst security issue ever" have a short memory.
Heartbleed was more critical, because OpenSSL was far more widespread.
i was also around during the Windows XP days where worms could remotely infect machines and automatically spread itself (I forgot the name of the exploit). That was also a more critical security issue.
jasonmicron
New Around Here
I think you're referring to Slammer: https://www.wired.com/2003/07/slammer/
Yea, that was ... bad. I agree w/ ya, I don't think this is anywhere near as bad as people think, but it is still a huge exposure due to the amount of java-based webapps out on the internet. Personally, I'd love it if Java just went away, but I digress.
sfx2000
Part of the Furniture
It's widespread, but a very easy fix to implement.
Shellshock and Heartbleed were a much bigger deal...
Thanks for the discussion, which for me as a mechanical engineer isn't easy to capture.
My concrete question:
Do I have to be afraid if I am using an RT-AC87U with the modified Asus Merlin Firmware 384.13_202106 as Firewall (behind a Fritz!Box 7490 with the latest firmware 7.29)? Should I switch it with my RT-AC86U which runs the later Asus Merlin 386.3_2?
My concrete question:
Do I have to be afraid if I am using an RT-AC87U with the modified Asus Merlin Firmware 384.13_202106 as Firewall (behind a Fritz!Box 7490 with the latest firmware 7.29)? Should I switch it with my RT-AC86U which runs the later Asus Merlin 386.3_2?
jasonmicron
New Around Here
I think the consensus here is that you don't need to worry about it. The ASUS firmware doesn't appear to utilize this java feature.
If you swapped out your routers, and if ASUS did utilize log4j, you wouldn't gain anything by swapping hardware other than an angry family because you took down the internet. The issue would be present on both routers.
R1-Limited
Regular Contributor
Some of the replies are funny, though any exploit is not funny. Arguing this or that is the worse is sort of anal IMO. Its like saying I got cancer but its the good kind.
jasonmicron
New Around Here
Oh we have... yea, dunno how this affects 1.2. But it's been a busy weekend and first workday after the weekend. There are a ton of nooks and crannies to check.
ForkWNY
Senior Member
The Log4j vulnerability is definitely not the "worst threat to modern computing" in history. It's relatively easy to mitigate, pending that there isn't a lot of dependence on older versions of Java. If you can't patch, just disable remote control until a patch can be rolled out.
Similar threads
Similar threads
Similar threads
-
News Universal local privilege escalation linux cve-2024-1086
- Started by DJones
- Replies: 0
-
CVE-2024-31497: PuTTY vulnerability vuln-p521-bias- Started by XIII
- Replies: 3
-
CVE-2024-3094 - XZ Utils Backdoor - addtional info- Started by sfx2000
- Replies: 12
Latest threads
-
-
-
Hyperotpic router replacement - will it solve my problem with connection dropping!
- Started by ACME NoLiFe
- Replies: 2
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!