Fixing the Log4j2 vulnerability in spring boot application

 Hi all,

Software Industry was in a shock with the log4j2 zero day exploit.

Exploited area

The Apache Log4j2 version ( >=2.0 to <=2.14.1 ) is exploitable due to an attacker controlled LDAP and  JNDI endpoints.

Appendix

LDAP (Light Weight Directory Protocol) is an industry standard protocol to access directory services.

JNDI (Java Naming and Directory Interface) is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name.

Find more information about the vulnerability from NVD website link.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

NVD (National Vulnerability Database) is maintained by National Institute of Standards and Technology (NIST),  An official part of United States of America (USA) government's Department of Commerce.

Fix the vulnerability

• Even in the latest spring boot package uses the vulnerable 2.14.1 log4j2 version.
• So, we need to explicitly add the specific version in the properties as below
• In pom.xml file, creating <properties> tag if not exists and add the attribute log4j2.version with version 2.16.0 (latest)

<properties>

    <log4j2.version>2.16.0</log4j2.version>

</properties>

• To check the version applied to the project, run the following command

mvn dependency:tree | grep "log4j"

• The result should look like below

[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.16.0:compile

[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile

• The similar type of vulnerability fixes available for other project builds.

Hope you will find the above information useful and fix the issue immediately to keep the servers safe from attacks.

Send your valuable feedback and comments to psrdotcom@gmail.com

 

BitBucket to GitHub Repo Migration including history

Hi all,

In this blog, we are going to achieve how we can move/copy the bitbucket repo to GitHub.

Checkout BitBucket Repo

git clone https://USER@bitbucket.org/USER/PROJECT.git

Add GitHub repo as upstream

cd project-folder
git remote add upstream https://github.com:USER/PROJECT.git
Note: To get the already assigned upstreams, use the below command
git remote -v 

Push the branch(es)

git push upstream master
git push --tags upstream

On push unsuccessful, try the below to have same history

git checkout upstreambranch  
git branch main upstreambranch -f    
git checkout main  
git push origin main -f

Add redirect URL

git remote set-url origin git@github.com:USER/PROJECT.git

Clean up the BitBucket (old) repo [Optional]

Verify the content carefully on the GitHub repo

1. Go to BitBucket account
2. Navigate to the respective repository
3. Click Settings -> Delete repository

Hope this helps you to organize the repositories as per your choice to serve the best way for dev and ops.

Please send your feedback and comments to psrdotcom@gmail.com

Flutter Local (Inbuilt) Authentication usage

Hi folks,

Today I will explain the process of using local (in-built) authentication usage in Flutter.

Pre-requisites

1. pubspeck.yaml update

dependencies:

      local_auth: ^0.6.2+3

2. Install the packages from command line

    $ flutter pub get

    Note: In Visual Studio Code or Android Studio automatically by saving the pubspec.yaml file packages will get updated

Usage

1. Import the package in the respective dart file (say main.dart)

    import 'package:local_auth/local_auth.dart';

2. 

Troubleshooting

1. I/flutter : PlatformException(no_fragment_activity, local_auth plugin requires activity to be a FragmentActivity., null)

• Open /android/app/src/main/kotlin/../MainActivity.kt
• Update the file with following content

package com.[your.package]

import androidx.annotation.NonNull;

import io.flutter.embedding.android.FlutterFragmentActivity

import io.flutter.embedding.engine.FlutterEngine

import io.flutter.plugins.GeneratedPluginRegistrant

class MainActivity: FlutterFragmentActivity() {

    override fun configureFlutterEngine(@NonNull flutterEngine: FlutterEngine) {

        GeneratedPluginRegistrant.registerWith(flutterEngine);

    }

}

Please send your feedback and comments to psrdotcom@gmail.com

Extend Ubuntu VM hard disk space/size

 Hi all,

Today I will explain about the process to extend and existing disk space in Ubuntu VM.

Environment

1. VMWare
2. Ubuntu

Context

Increase hard disk space more than initially configured for the Ubuntu VM.

Reason

VM hard disk might running out of space.

Procedure

• Make sure we have shutdown the Ubuntu VM
• Increase the hard disk size
• Make sure it's in the allowed range
• 
• Start the VM
• Open the Disks application in Ubuntu
• 
• In below example we are extending it by additional 3GB
• Select the Extended Partition block
• Click Settings (Gear) icon
• Choose Resize option
• 
• Use the increment (+) icon or scroll bar to increase the partition size
• Click on Resize button
• Enter credentials when prompted
• By now, the extended partition will be increased
• Time to select the file system, where exactly our data is getting stored
• We will repeat the process of resizing like earlier
• Using scrollbar increase the disk size
• 
• Click on the Resize button
• 
• The harddisk size is been reflected.

Hurray !! You have increased your hard disk size to store more data on the Ubuntu VM.

The same process can be used for normal Ubuntu OS also.

Please send your comments and feedback to psrdotcom@gmail.com

Convert PEM to PFX/PKCS12(.p12) using OpenSSL

 Hi folks,

To keep it simple with a single command to convert the .PEM format file to .p12/.pfx we can use the below information.

$ openssl pkcs12 -export -in domain.pem -out domain.p12

It will ask you to enter the export password (twice for confirmation).

It's up to you to choose to enter the password or keep it empty (just press enter) based on the use case what you have.

Hope this helps you to convert the certificate format and use in your application or server.

Request to send your comments and feedback to psrdotcom@gmail.com

Generate Free SSL Certificate using ZeroSSL

 Hi all,

Today I am going to explain the process of generating free SSL certificate using ZeroSSL

Pre-requisite

1. We should have our own domain
2. We should be able to add/update the DNS settings like A, CNAME, TXT records

Best free SSL providers

As per my research I found the best free SSL (90 days) certificate providers

1. ZeroSSL
2. Let's Encrypt

In this blog, i'll explain ZeroSSL process

ZeroSSL Free SSL Certificate

1. Navigate to https://zerossl.com/
2. Signup with your email by clicking on "FreeSSL"
3. After email verification, login to zerossl site
4. Click on "New Certificate"
5. 
6. Enter your domain name and click on "Next Step"
7. Default validity is 90 days for free SSL
8. 
9. In the CSR section we have couple of options
10. Default is Auto-Generate CSR enabled
11. Disable Auto-Generate CSR - only your zerossl registered email address with default values
12. Enable Paste Existing CSR - If you have already created a CSR then you can use this option
13. 
14. Finalize your order
15. 

Note

ZeroSSL will generate the certificate using signature algorithm SHA-384

In some cases, if SHA-384 based SSL is not valid then we have to mandatory go for alternate "Let's Encrypt". I will explain Let's Encrypt in my next blog.

For every 90 days, we need to renew our certificate in the above mentioned manner.

Download Certificate

1. Navigate to Certificates section
2. Go to Issued tab
3. 
4. Click on "Install"
5. 
6. You can select the Default Format dropdown to select specified server or just leave it default.
7. Download the certificate zip file which will contain 
1. ca_bunder.crt - CA Bundle
2. certificate.crt - Certificate
3. private.key - Private Key

Hope, you will be able to make use of this free SSL feature and encrypt your domain traffic.

Please let me know your feedback and suggestions in comments or mail to psrdotcom@gmail.com

Reverse Proxy with IIS ARR (Application Request Routing) and URL Rewrite features

 Dear folks,

Today I am going to explain how we can use the IIS as reverse proxy to secure, redirect the internal application servers.

IIS ARR 3.0 does provide load balancing, cache, forward and reverse proxy features.

This blog will cover the usage of reverse proxy.

Agenda

Secure/Hide the internal servers from public internet requests

Environment Setup

• DMZ server with IIS ARR and URL Rewrite
• Internal servers which are accessible to DMZ

Pre-requisites

1. Make sure the IIS is installed on the server
2. ARR (Application Request Routing)
3. URL Rewrite

Procedure

• Install the pre-requisites
• Create InBound and OutBound rules to configure as reverse-proxy
• Edit/Create the web.config based on your requirement
• Public facing IP - 123.10.1.12
• Internal IP - 10.1.1.192

Use case 1

• Redirect URLs with 80 port to internal application server on 8001

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

  <system.webServer>

    <rewrite>

        <rules>

            <rule name="ReverseProxyInboundRule1" stopProcessing="true">

              <match url="(.*)" />

                        <conditions logicalGrouping="MatchAll">

                           <add input="{CACHE_URL}" pattern="^(https?)://" />

                        </conditions> 

      <action type="Redirect" url="{C:1}://10.1.1.192/{R:1}" />

            </rule>

     </rules>

              <outboundRules>

                <rule name="ReverseProxyOutboundRule" preCondition="IsHTML">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://10.1.1.192/(.*)" />

                   <action type="Rewrite" value="http{R:1}://123.10.1.12/{R:2}" />

                </rule>

               <preConditions>

                 <preCondition name="IsHTML">

                    <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />

               </preCondition>

              </preConditions>

            </outboundRules>

           </rewrite>

          </system.webServer>

        </configuration>

Use case 2

• Redirect URLs with 9001 port to internal application server on 8081 with JSON response

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

  <system.webServer>

    <rewrite>

        <rules>

            <rule name="ReverseProxyInboundRule_Port_JSON" stopProcessing="true">

              <match url="(.*)" />

      <conditions logicalGrouping="MatchAll">

                <add input="{CACHE_URL}" pattern="^(https?)://" />

              <add input="{SERVER_PORT}" pattern="9001" />

              </conditions>

              <action type="Redirect" url="http://10.1.1.192:8081/{R:1}" />

            </rule>

    </rules>

              <outboundRules>

                <rule name="ReverseProxyOutboundRule_Port_JSON" preCondition="IsJSON">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://10.1.1.192:8081/(.*)" />

                   <action type="Rewrite" value="http{R:1}://123.10.1.12:9001/{R:2}" />

                </rule>

               <preConditions>

                 <preCondition name="IsJSON">

                    <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text|application/json|application/plaintext" />

               </preCondition>

              </preConditions>

            </outboundRules> 

             </rewrite>

          </system.webServer>

        </configuration>

One can make use of the conditions and redirect accordingly

url

use the regular expression to identify the part of the URL to process further

conditions

 Use conditions with attributes to distinguish the URL

action

redirect, rewrite, abort with specific URL with arguments

Hope this helps organization to configure and secure the servers

Request you to send your valuable feedback and comments to psrdotcom@gmail.com

Windows Batch File - Embed Image (Base64 Encoded) in HTML Code

 Hi folks,

Today I am going to explain how we can add an image to the HTML code in without copying the images in relative path folder.

Procedure

• Prefix file contents.
• <img src="data:image/png;base64,
•  Batch file contents.
• https://gist.github.com/psrdotcom/ce1593f170fe931f9840b4a0f3eae89f
• Suffix file contents.
• " alt="PSR" />
• Download the batch file.
• Open command prompt in Windows.
• Navigate to the batch file contained folder.
• Execute the batch file image file name as parameter.
• > Image2Base64ImgTag.bat PSRImage.jpeg
• You should see a file "imageTag.html".
• Open the file to see image in a browser.
• Open the file with notepad to see the image converted to base64 with proper HTML Image tag.

Hope this helps you to reduce lot of efforts in maintaining the image files/folders.

Send your feedback and comments to psrdotcom@gmail.com