Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.

Log4j Immunizer extension. Maybe something for the core product?

  • 1 freagra
  • 1 leis an bhfadhb seo
  • 4 views
  • Freagra is déanaí ó Paul

gerben.wierda
gerben.wierda
more options

There is now since two days an Log4j Immunizer extension, which is not Mozilla vetted. The code is available on GitHub and what it does is it blocks attempts to connect to private IP networks if the request comes as a result from a page that is on a public IP network. This prevents drive-by based probes/attacks where a web site uses code to try to connect to internal private servers. It is simple enough code and it looks legit (and protects against more than just Log4j)

The people who have produced it are new (which is always suspicious). E.g. their GitHub account is two days old. Their web site describes them to be a startup of some kind in the cyber insurance business.

https://github.com/paladincyber/log4jprotector https://github.com/paladincyber/log4jprotector

Of course, if this is not a vetted extension, an update tomorrow can contain quite different code.

As it stands now:

  1. It it safe to use this extension to prevent this kind of flyby using the browser to probe internal services? (But turn off auto-update until it becomes a vetted extension)
  2. Would such a function not be a good security add-on for the core product anyway?
There is now since two days an Log4j Immunizer extension, which is not Mozilla vetted. The code is available on GitHub and what it does is it blocks attempts to connect to private IP networks if the request comes as a result from a page that is on a public IP network. This prevents drive-by based probes/attacks where a web site uses code to try to connect to internal private servers. It is simple enough code and it looks legit (and protects against more than just Log4j) The people who have produced it are new (which is always suspicious). E.g. their GitHub account is two days old. Their web site describes them to be a startup of some kind in the cyber insurance business. [https://github.com/paladincyber/log4jprotector] https://github.com/paladincyber/log4jprotector Of course, if this is not a vetted extension, an update tomorrow can contain quite different code. As it stands now: # It it safe to use this extension to prevent this kind of flyby using the browser to probe internal services? (But turn off auto-update until it becomes a vetted extension) # Would such a function not be a good security add-on for the core product anyway?

Athraithe ag gerben.wierda ar

All Replies (1)

Paul
Paul
  • Moderator
  • Top 10 Contributor
more options

Hi

That add-on is currently available at:

https://addons.mozilla.org/en-US/firefox/addon/paladin-log4j-immunizer/

Whether it should be included in Firefox is a bigger question. The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.