topic Re: Log4shell: CVSS 10! in Tech Talk

Log4shell: CVSS 10!

AppDefects — Mon, 09 Oct 2023 10:02:35 GMT

In case anyone missed all the action today:

Log4Shell’ vulnerability poses critical threat to applications using ‘ubiquitous’ Java logging package Apache Log4j, and here Exploiting JNDI Injections in Java

Have a nice weekend...

Re: Log4shell: CVSS 10!

csjohnng — Sun, 12 Dec 2021 17:49:10 GMT

It is really hard to miss but the hard part is getting identify and patch them in time.

Re: Log4shell: CVSS 10!

Caute_cautim — Mon, 13 Dec 2021 03:18:09 GMT

Hi All

There will be a great deal of people sorting out this issue, which is likely to affect many cloud providers as well:

https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/

https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f73a51590efced7fb90bc949/reports https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f73a51590efced7fb90bc949/reports

It is definitely keeping a lot of Incident Response personnel occupied.

And there is also a tool to detect too:

https://github.com/xforcered/scan4log4shell

Regards

Caute_Cautim

Re: Log4shell: CVSS 10!

Richard_Hlalele — Mon, 13 Dec 2021 09:12:33 GMT

Thanks for sharing the information

Re: Log4shell: CVSS 10!

AppDefects — Tue, 14 Dec 2021 02:15:05 GMT

Most Burp extensions are written in a similar way as this one. I have no issues with this one except that it is NOT (yet??) in the Burp Extender "BApp store". Log4Scanner is in BApp. The same caveat emptor applies to many of the GitHub JNDI scanners out there on GitHub. Always do a code review before using anything! I have seen some "spooky" stuff out there...

Re: Log4shell: CVSS 10!

Caute_cautim — Tue, 14 Dec 2021 02:48:02 GMT

@AppDefectsAbsolutely agree, but when people are in a rush, and the pressure is on - all sorts of issues arise.

Time for automation and orchestration.

Regards

Caute_Cautim

Re: Log4shell: CVSS 10!

csjohnng — Wed, 15 Dec 2021 03:48:35 GMT

@AppDefects

Yes, while we are busy in handling this.

We shall really look close at the code download from the git to avoid people is taking advantage on this rush.

Joke aside, my developer is very happy and told me that look we are lucky that we are not using log4j2 but just logj4 and bring me a dump of the class, that's the benefit of using old version and not doing upgrade. HaHaHa.

and within 5 minutes, I look there are a lot of other vulnerabilities which they are equally bad.. exist in the dump screen..... I am speechless.

Re: Log4shell: CVSS 10!

Caute_cautim — Wed, 15 Dec 2021 23:36:50 GMT

Hi All

Anyone want a good layman's explanation with an example, here is one for those who cannot handle the technology and acryonyms and their heads are spinning.

https://au.pcmag.com/security/91448/critical-apache-log4j2-exploit-demonstrated-in-minecraft

Regards

Caute_ cautim

Re: Log4shell: CVSS 10!

Caute_cautim — Thu, 16 Dec 2021 00:46:39 GMT

As these are appearing regularly, this is an exceptional one for explaining to the C-Suite how bad the situation really is:

https://gizmodo.com/log4j-just-how-screwed-are-we-1848199547

It may help a great deal.

Regards

Caute_Cautim

Re: Log4shell: CVSS 10!

csjohnng — Thu, 23 Dec 2021 06:53:01 GMT

Just be-aware of the situation where there are changes in the attacks in further vulnerability.

https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

Best is to patch them to 2.17.

if you are relying the WAF to temporary block those (which buy you time to upgrade), make sure your signatures are up to date, the signature are keep adding and adding each and almost every 2 days.

Re: Log4shell: CVSS 10!

Caute_cautim — Fri, 24 Dec 2021 04:50:35 GMT

@csjohnng Like everyone else, it appears that Alibaba, didn't disclose it to the Chinese Government first, which apparently they were meant to do before it went public!! We can guess what would have happened, if the Chinese Government had been informed and then decided to use it against everyone else.

Unfortunately the North Korean hacking teams are probably making hay while they can and using for their own nefarious purposes too.

Best to keep an eye on what is going on, more exploits being created and reported upon even as we liaise.

Lets hope it is a quiet Christmas, but unfortunately, I don't think that will be the case.

And just as predicted Conti and ransomware exploiters are now using it:

https://www.techrepublic.com/article/conti-ransomware-is-exploiting-the-log4shell-vulnerability-to-the-tune-of-millions/

Regards

Caute_Cautim