log4j exploit - what to do??

fabilau said:
So my question is, does Proxmox also use this package?
Click to expand...
There is no Java used on the Proxmox VE side of things.
Proxmox VE is mostly written in Perl, with some daemons in C and Rust. The same goes for the Mail Gateway. The Proxmox Backup Server is written primarily in Rust.

Since our products are all open source, feel free to check out the source code at https://git.proxmox.com/

This is of course only valid for a standard installation. If you did install some 3rd party software that is using Java, you might be affected. A first step to figure that out would be to check for any java processes running. I think
Code: 
ps auxwf | grep java
should do the trick.
Edit: Though that would also give results if you have some java running inside a container. Check who the owner is.
 
Last edited:
  • Like
Reactions: 0bit, janssensm, Stoiko Ivanov and 3 others
aaron said:
There is no Java used on the Proxmox VE side of things.
Proxmox VE is mostly written in Perl, with some daemons in C and Rust. The same goes for the Mail Gateway. The Proxmox Backup Server is written primarily in Rust.

Since our products are all open source, feel free to check out the source code at https://git.proxmox.com/

This is of course only valid for a standard installation. If you did install some 3rd party software that is using Java, you might be affected. A first step to figure that out would be to check for any java processes running. I think
Code: 
ps auxwf | grep java
should do the trick.
Edit: Though that would also give results if you have some java running inside a container. Check who the owner is.
Click to expand...
Great, thanks for the swift response @aaron

XenForo might be impacted though:
https://xenforo.com/community/threa...h-and-more-via-apache-log4j-log4shell.201145/
 
Hi,

there is a good command to proof, if your machines are affected:

Code: 
sudo find / -name log4j-core-*.jar

Sometimes the lib is packed into a *.jar file. To proof this you can use:

Code: 
sudo find / -name \*.jar -exec sh -c "if zipinfo {} | grep JndiLookup.class; then echo -e '{}\n'; fi" \; 2>/dev/null


put the commands into the proxmox shell. This will proof your containers, too. For the virtual machines you need to put the commands into there shells.
As you can see, my unifi controller (CT 106) was affected. A simple apt update && apt upgrade did the trick for this. It's now at version 2.15
 

Attachments

  • Unbenannt.PNG
    Unbenannt.PNG
    14.7 KB · Views: 78
  • Like
Reactions: Galal and vongehlens
Where would I check for possible attacks (on CTs /VMs) ?
Is there some default log active, that I would check, and what would I look out for?

(I really dont think what I administrate was attacked inside VPN and with only neo4j using log4j, but I'm curious)
 
I think that would be difficult. You could search all log files for the attackers command (don't know if I am allowed to post it). But since it could be, that the attacker deleted the log entry's you cannot be sure if your system is injected with something....
But maybe someone else has an idea.
 
mahofst said:
Where would I check for possible attacks (on CTs /VMs) ?
Is there some default log active, that I would check, and what would I look out for?
Click to expand...
in your web logs mainly. most exploit attempts are sending HTTP requests with the malicious payload inside some header (User-Agent is common, along with some other ones).

if you search online you can find fail2ban filter rules ;) [0]

just look out for common signs of compromise if you have doubts:
* new users on the system
* unfamiliar processes taking a lot of resources
* weird cron jobs
* missing/deleted logs
and the regular stuff.

although if you're not using any java you shouldn't have to worry about it :)

from our stack there's nothing we use java with, so default installations are safe as mentioned before...

[0]: https://github.com/atnetws/fail2ban-log4j/blob/main/apache-jndi.conf
 
Last edited:
  • Like
Reactions: janssensm
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back