cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Log4shell: CVSS 10!

10 Replies
csjohnng
Community Champion

It is really hard to miss but the hard part is getting identify and patch them in time.

John
Caute_cautim
Community Champion

Hi All

 

There will be a great deal of people sorting out this issue, which is likely to affect many cloud providers as well:

 

https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/

 

https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f7...https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f7...

 

It is definitely keeping a lot of Incident Response personnel occupied.

 

And there is also a tool to detect too:

 

https://github.com/xforcered/scan4log4shell

 

Regards

 

Caute_Cautim

Thanks for sharing the information

AppDefects
Community Champion

Most Burp extensions are written in a similar way as this one. I have no issues with this one except that it is NOT (yet??) in the Burp Extender "BApp store". Log4Scanner is in BApp. The same caveat emptor applies to many of the GitHub JNDI scanners out there on GitHub. Always do a code review before using anything! I have seen some "spooky" stuff out there...

Caute_cautim
Community Champion

@AppDefectsAbsolutely agree, but when people are in a rush, and the pressure is on - all sorts of issues arise.

 

Time for automation and orchestration.

 

Regards

 

Caute_Cautim

csjohnng
Community Champion

@AppDefects 

Yes, while we are busy in handling this.

We shall really look close at the code download from the git to avoid people is taking advantage on this rush.

 

Joke aside, my developer is very happy and told me that look we are lucky that we are not using log4j2 but just logj4 and bring me a dump of the class, that's the benefit of using old version and not doing upgrade. HaHaHa. 

 

and within 5 minutes, I look there are a lot of other vulnerabilities which they are equally bad.. exist in the dump screen..... I am speechless.

 

John
Caute_cautim
Community Champion

Hi All

 

Anyone want a good layman's explanation with an example, here is one for those who cannot handle the technology and acryonyms and their heads are spinning.

 

https://au.pcmag.com/security/91448/critical-apache-log4j2-exploit-demonstrated-in-minecraft

 

Regards

 

Caute_ cautim

Caute_cautim
Community Champion

As these are appearing regularly, this is an exceptional one for explaining to the C-Suite how bad the situation really is:

 

https://gizmodo.com/log4j-just-how-screwed-are-we-1848199547

 

It may help a great deal.

 

Regards

 

Caute_Cautim

csjohnng
Community Champion

Just be-aware of the situation where there are changes in the attacks in further vulnerability.

https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

 

Best is to patch them to 2.17.

if you are relying the WAF to temporary block those (which buy you time to upgrade), make sure your signatures are up to date, the signature are keep adding and adding each and almost every 2 days.

 

John