It simply appears to execute indefinitely, after I set the browser timeouts that reproduce this to be fairly long = 9000000 msĪt this point I am not sure what the next debugging step would be, but I believe the evidence strongly points to an issue related to Tomcat making this request from within their four walls. In the live/running failure case, do not get an exception thrown by the listObjects method. Tried to run a unit test within the application's code base on the problem server that also invokes the listObjects() method.Checked Sophos McsAgent.log and McsClient.log to see if anything obviously related to my applications was popping up.This is a call to AmazonS3's listObjects(string, string) method. CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability ( CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as 'Log4Shell. Put explicit log statements all around the failing methods to iso the exact line that fails.This still fails, but logs are outputting the correct bucket and key, so config/setup does not appear to be the issue. /rebates/&.com252fenus252fresearch252f20252fc252fbusting-ghostcat-an-analysis-of-the-apache-tomcat-vulnerability-cve-2020-1938-and-cnvd-2020-10487. Hardcode the references to S3 resources and redeploy, to verify the issue isn't app initialization/failure to resolve config. On December 10, 2021, Apache released a fix for CVE-2021-44228, a critical RCE vulnerability affecting Log4j that is being exploited in the wild.Point my own development environment (outside customer network) at the problem server's DB (available via VPN) to verify properties/config setup.Install AWS CLI on problem server and attempt to list-objects.To debug this, I have attempted the following: byte request is simply which byte for each side (0 thru 255) was seen the most. One app posts to SQS (this works) and another polls SQS (this works). To reiterate, I have two (2) applications running on this server that interact with S3, and they both started failing the exact same time. I do see Sophos software running on the machine in question, but not sure if that's the issue, and it appears to have been installed a while before this occurred. I was able to identify the date it stopped working, but Customer IT likewise says "nothing changed". Our other users hosting the software on their own Windows networks don't have this issue, and the instances we host on Amazon EC2 likewise also have no issue. This is a "nothing changed" situation, where I got a bug report out of the blue on what were stable systems. I have a pair of Java/Tomcat web applications running on a third party (customer) server, and of late, those applications can no longer list or download objects from AmazonS3. The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch version 2.17.0 for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack.
0 Comments
Leave a Reply. |