I came to the conclusion yesterday (probably spent too many hours just with Zimbra) that we were probably fine but continued to work on this that are not zimbra specific in case we were not. I also spent a lot of time looking at various payloads from some of the RCE's. A few vendors still haven't figured out how bad this is. Here is a copy of one of the payloads:
https://pastebin.com/wHbfvjL0
I spent some of my time yesterday opening tickets trying to get active firewall dropping of attacking ip's with our various cloud providers to protect the entire networks we are in. We also fenced in our machines with ipsets using the greynoise ip's as they were discovered. A few strategies that some of you can do for your networks is IMMA. For the SOHO administrators, I think you saw discussion of some techniques if you read between the lines in some of the postings in this thread.
I = isolate
M = Minimize
M = Monitor
A = Active Defense
Ref:
https://twitter.com/bettersafetynet/sta ... 4977745932
In the above, he walks you through the steps and what they mean.
The confusion in this thread shows how difficult it can be for even seasoned administrators or a vendor to participate given the fear of not knowing definitively. I am guilty of that myself as I spent most of my day mitigating our defenses using the above strategies of IMMA and wondering if I had done enough.
I want to thank all of you and Mark specifically for trying to get Synacor to speak out on this and keep information flowing as it was a huge help given this can be a lonely job at times like this.
For Zimbra/Synacor if they are reading this, it would have been appropriate to use these forums and show active leadership as CloudFlare and Greynoise CEO's did via twitter early on and say this is so bad we will get out in front of this (customer or not a customer we will help you). Both provided mitigation tools/strategies without fee. it would have also have been appropriate to see a Zimbra posting in these forums or blog entry from Synacor to say "we use log4j this way or do not use it this way" and believe we are NOT VULNERABLE but you could be if you did this and this in your configurations. Also sending an email with a link to the blog posting or a statement in the email when you discovered it wasn't a problem for your product. We know you have our email addresses as you send out emails highlighting your network partners or product offerings.
Lastly, the posting of the developer comment links in this thread were very helpful. Thanks everyone for those as it was a great starting point for me to dig deeper.
These 0-days are more lucrative than bug bounties so expecting these unfortunately is our future.
Jim