This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Cari Bantuan

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Pelajari Lebih Lanjut

Log4j Immunizer extension. Maybe something for the core product?

  • 1 balas
  • 1 memiliki masalah ini
  • 7 kunjungan
  • Balasan terakhir oleh Paul

more options

There is now since two days an Log4j Immunizer extension, which is not Mozilla vetted. The code is available on GitHub and what it does is it blocks attempts to connect to private IP networks if the request comes as a result from a page that is on a public IP network. This prevents drive-by based probes/attacks where a web site uses code to try to connect to internal private servers. It is simple enough code and it looks legit (and protects against more than just Log4j)

The people who have produced it are new (which is always suspicious). E.g. their GitHub account is two days old. Their web site describes them to be a startup of some kind in the cyber insurance business.

https://github.com/paladincyber/log4jprotector https://github.com/paladincyber/log4jprotector

Of course, if this is not a vetted extension, an update tomorrow can contain quite different code.

As it stands now:

  1. It it safe to use this extension to prevent this kind of flyby using the browser to probe internal services? (But turn off auto-update until it becomes a vetted extension)
  2. Would such a function not be a good security add-on for the core product anyway?
There is now since two days an Log4j Immunizer extension, which is not Mozilla vetted. The code is available on GitHub and what it does is it blocks attempts to connect to private IP networks if the request comes as a result from a page that is on a public IP network. This prevents drive-by based probes/attacks where a web site uses code to try to connect to internal private servers. It is simple enough code and it looks legit (and protects against more than just Log4j) The people who have produced it are new (which is always suspicious). E.g. their GitHub account is two days old. Their web site describes them to be a startup of some kind in the cyber insurance business. [https://github.com/paladincyber/log4jprotector] https://github.com/paladincyber/log4jprotector Of course, if this is not a vetted extension, an update tomorrow can contain quite different code. As it stands now: # It it safe to use this extension to prevent this kind of flyby using the browser to probe internal services? (But turn off auto-update until it becomes a vetted extension) # Would such a function not be a good security add-on for the core product anyway?

Diperbarui oleh gerben.wierda pada

Semua Balasan (1)

more options

Hi

That add-on is currently available at:

https://addons.mozilla.org/en-US/firefox/addon/paladin-log4j-immunizer/

Whether it should be included in Firefox is a bigger question. The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.