Solr is vulnerable if you grab the right version from Docker Hub (8.8.0 works nicely). But - the Java executable in there is from within the last few years, and those all disallow remote code includes via JNDI... So by default it's not going to give you RCE - at least not with the method commonly cited.
Mostly done with my #log4shell range - Terraform and Ansible deploy it to AWS so you can play around with log4shell.
Great little short. #dust
I35 in Kansas miles 40-60 always fly past. In either direction you come out of hours of placid plains into comparably dazzling suburbia of Wichita. I can't help but look around almost in wonder, my mind soaking in the distraction. By the time I catch my bearings we're out the other side driving through the fields again.
I spent way too long on Elastic given that their docs say it isn't exploitable due to mitigations... Oh well.
Spent a few hours last night trying to get #log4j RCE on fresh ElasticSearch, Jetty, and Solr (not enough time on this one) installs. But no luck.
Support #EFF this week, and your donation will pack double the punch with an automatic 2X match... https://eff.org/power-up
CQ CQ CQ Want to learn CW. I do have a straight key and want to use it on Linux.
How can I physically connect it ? Do I just treat it as a switch and implement hardware debounce ? Or use a GPIO on a pi(w), or hacking a old mouse to replace right click, a ESPxx with a HID interface ?
Advice on this would be appreciated ?
https://lobste.rs/s/waahpl/jumping_air_gap_15_years_nation_state
ESET looks at #malware that jumps the air gap - how the samples they know about work, and general #defense measures.
Computer science guy, electrical engineer, US Air Force officer, jogger, likes teaching programming, aka KC0BFV.
Likes programming in: Rust, Python, JavaScript, C
Reluctantly uses: Roku's BrightScript, C++, anything