log4shell and NEMO

30 views
Skip to first unread message

Sergi Lendínez

unread,
Jan 10, 2022, 3:51:22 PM1/10/22
to nemo
Hello NEMO community,

Happy new year to everyone!

Here at LSU, our Django has been sending us some errors, warnings and broken link emails (100+ emails/day) for the last month, in what seems to be related to the log4shell vulnerability found recently. I am attaching an example of each of those emails. Is anyone else experiencing something similar?

I was wondering if we need to do something with our NEMO distribution to patch the vulnerability. (We are running the most recent nemo v3.13.2 and we have also just updated the CentOS distribution on the server.)

If NEMO is not vulnerable, how can we prevent these emails?

Thank you very much,
Sergi
        
_Django_ Broken link on nemo_che_lsu_edu.msg
_Django_ ERROR (EXTERNAL IP)_ Invalid HTTP_HOST header_ 'sjfklsjfkldfjklsdfjdlksjfdsljk_foo'_ You may need to add 'sjfklsjfkldfjklsdfjdlksjfdsljk_foo' to ALLOWED_HOSTS_.msg
_Django_ WARNING (EXTERNAL IP)_ Forbidden (Referer checking failed - no Referer_)_ _.msg

Dylan Klomparens

unread,
Jan 10, 2022, 3:55:27 PM1/10/22
to Sergi Lendínez, nemo
This blog article may be helpful. Perhaps try it, and see if the errors go down?

However, you could very well be vulnerable to log4shell also. Both are possibilities. I recommend consulting your institution's cybersecurity or IT department.

--
You received this message because you are subscribed to the Google Groups "nemo" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nemo+uns...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/nemo/64e29290-cb4c-4e44-b93a-2582c857d51an%40list.nist.gov.

Björn Pedersen

unread,
Jan 11, 2022, 5:17:38 AM1/11/22
to nemo, sergi...@gmail.com
NEMO is python-based, not java based, so log4j is never used and there is no vulnerability. What you see are mails about URLs that NEMO does not use. Thise are generated by scripts  scanning for log4j-vulnerable services...

Björn

Chris Schwehm

unread,
Jan 11, 2022, 10:44:06 AM1/11/22
to Björn Pedersen, nemo, sergi...@gmail.com
Björn,

Thanks.  When you talk about the scanning scripts, are these scripts that are running on the nemo server or are these scripts that are likely being run by our security group on all of our servers looking for vulnerabilities?

Thanks,

Chris Schwehm

--
You received this message because you are subscribed to the Google Groups "nemo" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nemo+uns...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/nemo/fe8f1a76-e153-4239-b24a-bd3770bf6df8n%40list.nist.gov.

Björn Pedersen

unread,
Jan 11, 2022, 11:18:34 AM1/11/22
to nemo, csch...@gmail.com, nemo, sergi...@gmail.com, Björn Pedersen
csch...@gmail.com schrieb am Dienstag, 11. Januar 2022 um 16:44:06 UTC+1:
Björn,

Thanks.  When you talk about the scanning scripts, are these scripts that are running on the nemo server or are these scripts that are likely being run by our security group on all of our servers looking for vulnerabilities?


No, those a run by the bad guys(on their servers) , they just  try any public URL if it is vulnerable ( you will also find /wordpress etc. if you look at the logs). There is not much you can do...
 
Björn 
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages