- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log4shell: CVSS 10!
In case anyone missed all the action today:
Log4Shell’ vulnerability poses critical threat to applications using ‘ubiquitous’ Java logging packa...and here Exploiting JNDI Injections in Java
Have a nice weekend...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is really hard to miss but the hard part is getting identify and patch them in time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
There will be a great deal of people sorting out this issue, which is likely to affect many cloud providers as well:
https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/
https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f7...https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f7...
It is definitely keeping a lot of Incident Response personnel occupied.
And there is also a tool to detect too:
https://github.com/xforcered/scan4log4shell
Regards
Caute_Cautim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for sharing the information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most Burp extensions are written in a similar way as this one. I have no issues with this one except that it is NOT (yet??) in the Burp Extender "BApp store". Log4Scanner is in BApp. The same caveat emptor applies to many of the GitHub JNDI scanners out there on GitHub. Always do a code review before using anything! I have seen some "spooky" stuff out there...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@AppDefectsAbsolutely agree, but when people are in a rush, and the pressure is on - all sorts of issues arise.
Time for automation and orchestration.
Regards
Caute_Cautim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, while we are busy in handling this.
We shall really look close at the code download from the git to avoid people is taking advantage on this rush.
Joke aside, my developer is very happy and told me that look we are lucky that we are not using log4j2 but just logj4 and bring me a dump of the class, that's the benefit of using old version and not doing upgrade. HaHaHa.
and within 5 minutes, I look there are a lot of other vulnerabilities which they are equally bad.. exist in the dump screen..... I am speechless.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
Anyone want a good layman's explanation with an example, here is one for those who cannot handle the technology and acryonyms and their heads are spinning.
https://au.pcmag.com/security/91448/critical-apache-log4j2-exploit-demonstrated-in-minecraft
Regards
Caute_ cautim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As these are appearing regularly, this is an exceptional one for explaining to the C-Suite how bad the situation really is:
https://gizmodo.com/log4j-just-how-screwed-are-we-1848199547
It may help a great deal.
Regards
Caute_Cautim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just be-aware of the situation where there are changes in the attacks in further vulnerability.
https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
Best is to patch them to 2.17.
if you are relying the WAF to temporary block those (which buy you time to upgrade), make sure your signatures are up to date, the signature are keep adding and adding each and almost every 2 days.