It's also circular: With Minecraft (servers) there is desire for security exploits and botnets, Senpai (as we've seen the children ... or better criminals playing and disintegrating half of the internet several times for ... immature nonsense as the occasion). So there is need for security experts, who also play Minecraft, who setup servers or tell how to setup servers correctly(of course, the security has an expiration date:) ) ... ... oh and the side-effect, that we get informative high quality videos from John is also nice, thank you:)
John, you’re getting big out there if you weren’t already. My organization cited this video directly for information on this vulnerability. Very well done.
When i tried it myself i also got 2 requests but i think thats because the log message gets proccessed once for the console window and once for the latest.log file
As Para noted in the comments below, I had a typo while attempting to download the old 1.8.8 version of the PaperMC server. At the time of writing this comment, that old version is still available for download with the right link. ("builds" instead of "build") Additionally, the language "zero-day clusterbomb" should be credited to Florian Roth. He described the log4j vulnerability as such, and I just think it is such a perfect name for it.
Great explanation, thank you for the work and presentation, John!:) Now to the superfluous, cynic and schadenfreude-pregnant part: It's the 'ol wisdom -> Java users get what they deserve! Why not install even FLASH?:P Sorry for that ... and to you and yours, the community (including hard working Java related folks), I wish a good new year:)
This video is amazing, it combines my all-time favorite game with exploiting a vulnerability and to top it all off the video is made by the incredibly talented John Hammond. 10/10 would watch again.
Great video as always, John. This vulnerability is quite disturbing with how old it potentially might be. I remember implementing log4j in several projects, possibly including minecraft.
Something else that makes this massive is Apache Solr uses Log4j. Solr is in a LOT of things and typically gets little attention. Thanks for the demo! Super helpful!
Great great great explanation, John. Thank you for the video and also the testing tool, it'll be very useful for me and my team for the next few days :)
You should do more stuff like this, I know it's not everyday that an exploit like this is discovered and CTF's are likely far easier for you to make but live exploitation demos like this are super cool.
@@Hope-kf1nl Not really. CTF's don't show the blue team side and showing how to make your own test environment is a valuable skill. I'd like to see more of both.
@@embly2319 I'm a little confused by your question. You'd want him to create a test environment for every single video? A lot of John's content is educational from a Red Team perspective. He works full time and I doubt he has time to setup a test environment (which has it's own caveats and bugs) as well as exploit it. I'd assume he'd need to put a lot more work into each video. Which means less time he has to get things posted. Believe it or not, we all have fulltime jobs paying over 100k+ in the security field that keeps the lights on. I doubt John wants to quit his day job and just focus on trying to post video that would likely require 10x the work for very little reward...
@@Hope-kf1nl Didn't ask you a question anywhere in my comments. I acknowledged that this takes more time in my first comment. I dont think John would be in any danger of becoming homeless if he started doing more vids like this, that's kind of ridiculous. My original point still stands that all of the things being show cased are valuable skills for newbies, and imo it makes for more interesting content. There isn't allot of high quality content like this on UA-cam so it would be nice to have more.
This video is AMAZING! You covered everything, i dont regret being a subscriber. Thanks John for another good video, the new people that came from a gaming community and dont know you are really losing the game 😂
Followed you on twitter a long while back, but wanted to sub and drop a comment here, as well. Appreciate all you do for the larger community. Thank you.
And for those who found out on the programming side of things...Best of Luck in this yet to be determined period of hell as you drop everything to fix this.
Great tutorial btw John!! I'm a sysadmin and feel like a noob when it comes to shit like this I think if there was a GUI for these servers you're spinning up it would make it much easier to understand but I know that's not the case.
@@frosecold Dave Chappelle had a special from 2005 or so where he talks about seeing JaRule being interviewed after 9/11 and the joke goes on basically as josh outlined there. It's a great special actually
This kind of instability of the digital world is always terrifying me. Like the Jurrasic Park movie. Always about the budget and deadlines of the companies which cause cheap and lazy solutions, but the marketing is selling these products to key-positions and therefore it's affecting everybody. Thank you and the other talented hackers in the world who are working for us instead of against us! Open source forever!
If you implement proper outbound traffic filtering, even if your server is vulnerable, this will not work. Basic hygiene. And this is so shockingly underrated.
You can't execute code on clients connected to minecraft server, am i right? I've seen few videos says opposite, but that sounded wrong. Can you tell something about it?
I really love your videos. I am not a fan of the "omg face" on the thumbnails. It is a physcological ploy (if you did not know) to get more views. However, you are the last channel I still watch with these thumbnails because your knowledge is legit (I click do not recommend channel to ALL other channels that use this ploy) but not yours. It's a bit goofy and juxtaposed to your legendary teaching and knowledge :)
Regarding the industry chatter, the toxic arrogance is probably my biggest issue with the security industry. I used to work as a security analyst, and for the last two years have been working as a software engineer. I know first hand what it's like to see vulnerabilities exploited, and I know what it's like to push out code fit for use on a deadline. It's SUUUUPER easy to play Captain Hindsight and tell developers to grow up, not so easy to be a developer with a full time job, building an open source product in their spare time.
Santa's bag of toys was a piece of cake video, almost 0 level difficulty 😎 But this...🤯 Very fast to me to understand and track all the steps. No hate, video is great as always)
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
hmmmm such video very wow so anyways join my newsletter at jh.live/newsletter and check out jh.live/training for more cybersecurity stuff
John out here killing 2 birds with one stone. Showing us the severity of this vuln, but also showing us how to setup a minecraft server
came for the minecraft server setup, stayed for the cybersecurity discussion
haha
The hero we need.
It's also circular:
With Minecraft (servers) there is desire for security exploits and botnets, Senpai (as we've seen the children ... or better criminals playing and disintegrating half of the internet several times for ... immature nonsense as the occasion).
So there is need for security experts, who also play Minecraft, who setup servers or tell how to setup servers correctly(of course, the security has an expiration date:) ) ...
... oh and the side-effect, that we get informative high quality videos from John is also nice, thank you:)
John, you’re getting big out there if you weren’t already. My organization cited this video directly for information on this vulnerability. Very well done.
The calculator open up twice at 20:43 because both the server and client logger got the payload. Great video btw!
it actually calls it twice from the server. if you run minecraft on java 7 or earlier it will run on the client as well though
When i tried it myself i also got 2 requests but i think thats because the log message gets proccessed once for the console window and once for the latest.log file
As Para noted in the comments below, I had a typo while attempting to download the old 1.8.8 version of the PaperMC server. At the time of writing this comment, that old version is still available for download with the right link. ("builds" instead of "build")
Additionally, the language "zero-day clusterbomb" should be credited to Florian Roth. He described the log4j vulnerability as such, and I just think it is such a perfect name for it.
Thanks again for all the great content!
are Android and iOS Apps and devices will also be affected on this vulnerability issue of Log4j?
New subscriber here, It is awesome finding someone who can really nerd out on security. What a great video, thank you.
Great explanation, thank you for the work and presentation, John!:)
Now to the superfluous, cynic and schadenfreude-pregnant part: It's the 'ol wisdom -> Java users get what they deserve! Why not install even FLASH?:P
Sorry for that ... and to you and yours, the community (including hard working Java related folks), I wish a good new year:)
Can you defeat Windows defender? with Log4j true MineCraft!
I was waiting for John's Detailed video to come out. This is a one-stop shop for all the information you need regaring CVE-2021-44228.
Thank you
Thank you pilgrim.
This is all nuts. Thank you for sharing the nitty and gritty
>Working in IT
>Wondering what the hell is going why is there so many tickets titled Log4J something
>Watches the video
>I'm fucked
I also work in IT. We got a bunch of log4j tickets as well and i just remembered the new vulnerability, so I was like someone's patching it right?
I am Security guy and all I can say Is that was busy Monday
@@aliencatmeow Wow, where do you work where people are actually targeting you?
@@aliencatmeow answer
@@aliencatmeow answer
Not the most pleasant way for our worlds to collide, but a good video!
Its amazing how much of the world is built on free labor and how little everyone values open source.
Wise words.
Kind of a microcosm of capitalism if you think about it
"Hippedy hoppedy, your code is now my property" that cracked me up ngl
I HAVE to remember this quote! 😂🤣😂🤣
Needed as Merch
Reminded me of Dani
tbh me too
This video is amazing, it combines my all-time favorite game with exploiting a vulnerability and to top it all off the video is made by the incredibly talented John Hammond. 10/10 would watch again.
Note, at 8:55 the Version is still available, you made a typo in the URL, its supposed to be /builds/ instead of /build/
One of the best Log4j demo, learned so much John. Big Thumbs Up! Thanks!
A friend got ratted with this vulnerability so thanks for sharing and spreading the news
you're super inspiring John. Thank you so much for your work and vibe!
Thanks for this, awesome work. Very impressive.
Was waiting on your video so I could better understand and you most def did not dissapoint. I appreciate your work
There we go, been waiting for this vid since the panic yesterday.
Great video, John!
Very well demonstrated! Understood the whole pipeline from the setup to execution
Thanks John! Great video showcasing this new vulnerability. I found it to be very well explained and demonstrated.
Thanks for that video and the explanation on this topic!
i can finally setup my first minecraft server. Thanks to john.
Absolutely amazing! Thank you for sharing it and giving it a high quality explanation!
My work week has been utter HELL because of log4j!! So glad it's a holiday next week!
Great video as always, John. This vulnerability is quite disturbing with how old it potentially might be. I remember implementing log4j in several projects, possibly including minecraft.
Something else that makes this massive is Apache Solr uses Log4j. Solr is in a LOT of things and typically gets little attention. Thanks for the demo! Super helpful!
Great great great explanation, John. Thank you for the video and also the testing tool, it'll be very useful for me and my team for the next few days :)
I loved the hippity hoppity, your code is now my property lol. Great video!!!!
Good video as always, very informative! 🧑💻
John giving us gifts with these videos, dude is straight fire!
Great vid John, found it very interesting and hopefully this will help a lot of admins.
Great video, very educative. Thanks for the time you took to make this one.
i was looking for a video to explain the vuln and of course mr hammond had one out already you are a saint
Great John! Thanks for the video.
amazing that you have already set up a room for log4j on thm !!
I wait for this video all day you are amazing 🤩
You should do more stuff like this, I know it's not everyday that an exploit like this is discovered and CTF's are likely far easier for you to make but live exploitation demos like this are super cool.
That's what most CTFs are... Previous RCEs and SSRF exploitation in old software... Lmao.
Agreed.
@@Hope-kf1nl Not really. CTF's don't show the blue team side and showing how to make your own test environment is a valuable skill. I'd like to see more of both.
@@embly2319 I'm a little confused by your question. You'd want him to create a test environment for every single video?
A lot of John's content is educational from a Red Team perspective. He works full time and I doubt he has time to setup a test environment (which has it's own caveats and bugs) as well as exploit it.
I'd assume he'd need to put a lot more work into each video. Which means less time he has to get things posted. Believe it or not, we all have fulltime jobs paying over 100k+ in the security field that keeps the lights on.
I doubt John wants to quit his day job and just focus on trying to post video that would likely require 10x the work for very little reward...
@@Hope-kf1nl Didn't ask you a question anywhere in my comments. I acknowledged that this takes more time in my first comment. I dont think John would be in any danger of becoming homeless if he started doing more vids like this, that's kind of ridiculous. My original point still stands that all of the things being show cased are valuable skills for newbies, and imo it makes for more interesting content. There isn't allot of high quality content like this on UA-cam so it would be nice to have more.
Amazing video John!!
Thank you, good work done! Nicely explained, demonstrated and remedied. 👏
I heard “0day” 4 times and I appeared 😀
Yo
Thanks for helping get out the info John!
Awesome presentation. Thank you :)
Thank you very much for your insights, you have opened my eyes!
Excellent video.. about log4j with practical explanation.
Thx for a video. Learned a lot from u 🙌
Thanks for the vid man!
Brilliant! All 34 minutes of it!
Hey thanks for sharing this John
lol so many cuts must be a real tough job making this video. Thanks!
This video is AMAZING! You covered everything, i dont regret being a subscriber. Thanks John for another good video, the new people that came from a gaming community and dont know you are really losing the game 😂
Amazing work, thank you!
Thanks for the educational POC 👊🏾
Followed you on twitter a long while back, but wanted to sub and drop a comment here, as well. Appreciate all you do for the larger community. Thank you.
I like the waiting screen John!
Thank you John for the video.
Thanks John. Great Breakdown...
And for those who found out on the programming side of things...Best of Luck in this yet to be determined period of hell as you drop everything to fix this.
Great explanation. Thank you 👍
Super interesting! Thank you!
Hunter!! Hacker!! Great video ever! The thrill of pwning the system!
Great tutorial btw John!! I'm a sysadmin and feel like a noob when it comes to shit like this I think if there was a GUI for these servers you're spinning up it would make it much easier to understand but I know that's not the case.
I know we are about to hear from John Hammond but has anyone asked what JaRule thinks of the log4j zero day?
Lol
I don't get this joke... Like, at all
@@frosecold You should ask JaRule why its funny
@@frosecold Dave Chappelle had a special from 2005 or so where he talks about seeing JaRule being interviewed after 9/11 and the joke goes on basically as josh outlined there. It's a great special actually
looooool too good
Nice and thank you for this video
Minecraft is just the tip of the iceberg no sentence has made me more invested before
This kind of instability of the digital world is always terrifying me. Like the Jurrasic Park movie. Always about the budget and deadlines of the companies which cause cheap and lazy solutions, but the marketing is selling these products to key-positions and therefore it's affecting everybody. Thank you and the other talented hackers in the world who are working for us instead of against us! Open source forever!
This is a great explainer!
Thanks professor John... I believe Grinch Enterprises will use this to attack Santa... If not this year, next for sure... We'll be ready...💪🎄
If you implement proper outbound traffic filtering, even if your server is vulnerable, this will not work. Basic hygiene. And this is so shockingly underrated.
Merry Grichmas John
Really dope video 😃😃😃
great work, keep up the good work
that is some juicy detailed of log4j, i am lucky of his subscriber
What would happen if Windows Defender was active at 21:50?
Keep up the good work John.
Thanks for the information, see you soon
You can't execute code on clients connected to minecraft server, am i right? I've seen few videos says opposite, but that sounded wrong. Can you tell something about it?
This is amazing!!! Thanks
3 Billion devices... Oracle is showing that on their installer/updater since the last 15 years...
Yeah. Nowadays it's 9/12 Billion devices. Java runs the world 💪
Thanks John great work
You need cyber running shoes to keep up with John - still trying to decipher whether or not he ever pause long enough to takes a breath :)
Hippity hoppity your code is now my property 😆 that's gold
I really love your videos. I am not a fan of the "omg face" on the thumbnails. It is a physcological ploy (if you did not know) to get more views. However, you are the last channel I still watch with these thumbnails because your knowledge is legit (I click do not recommend channel to ALL other channels that use this ploy) but not yours. It's a bit goofy and juxtaposed to your legendary teaching and knowledge :)
Great info for someone working in a SOC that's for sure.
We’ve been dealing with this at work, many of our SAP systems run JAVA. :(
Awesome video as always, that shirt is dope! Where can I snag one?
"Hippity hoppity, your code is now my property"
Regarding the industry chatter, the toxic arrogance is probably my biggest issue with the security industry. I used to work as a security analyst, and for the last two years have been working as a software engineer. I know first hand what it's like to see vulnerabilities exploited, and I know what it's like to push out code fit for use on a deadline. It's SUUUUPER easy to play Captain Hindsight and tell developers to grow up, not so easy to be a developer with a full time job, building an open source product in their spare time.
The github repo at 3:40 seems to have been removed.. Interesting..
legend says Shodan is poppin rn
Thanks for the vid!
Wayback machine still has the downloads for the papermc 1.8.8
Santa's bag of toys was a piece of cake video, almost 0 level difficulty 😎
But this...🤯 Very fast to me to understand and track all the steps.
No hate, video is great as always)
Rust version of Minecraft when?
1:43 You did your best 😜
I think you forgot the timestamps. Great video, this is gonna bring a lot of people to your channel
Thx Ed Sheeran for sharing this PoC with us. Cheers
Is there something similar for newer versions of minecraft e.g. 1.20.1?
how was this only a month ago it feels like 2 weeks ago