19 Matching Annotations
  1. Dec 2021
    1. docker scan elastic/logstash:7.13.3 | grep 'Arbitrary Code Execution'

      Example of scanning docker image for a log4j vulnerability

    1. Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is not longer supported by the Log4j team.

      JDK 8 REQUIRED

    2. The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0. Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host. One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it

      explicacion

    1. According to the provided link, PulseSecure is not affected. Why is it marked as TRUE?

      me too!

    1. reported today (10th of December, 2021) in Java logging library (log4j) in versions from 2.0.0 and before and including 2.14.1.

      dia 1: 2021-12-10 dice que 2.0.0 and before (?)

    1. After receiving a connection from a vulnerable client, it will immediately respond with an LDAP Operation Error. No code is sent from our LDAP server to your client

      respuesta

    2. You can then paste this payload into various inputs on your application (form fields, input boxes, User-Agent strings, etc.). If the application is vulnerable, it will reach out to our LDAP server.

      truco: AQUI!

    1. Click the "View Connection" button after you have pasted in the syntax to see if it received any connection, and verify the detected IP address and timestamp, to correlate with when you tested any service

      truco: la URL de huntress, recibe y avisa si log4j ha hecho la llamada!!!

      code link

    2. You simply copy and paste the generated JNDI syntax (the code block ${jndi[:]ldap[:]//.... presented on the site) into anything (application input boxes, frontend site form fields, logins such as username inputs, or if you are bit more technical, even User-Agent or X-Forwarded-For or other customizable HTTP headers)

      usar en campos, o HTTP

    3. Huntress researcher John Hammond has recreated a proof-of-concept exploit against the prolific target: Minecraft video game servers

      POC con Minecraft

    4. A threat actor might supply special text in an HTTP User-Agent header or a simple POST form request, with the usual form

      ejemplo ataque

    1. community-curated list of vulnerable software

      evidencias de apps afectadas link

    2. it affects only versions 2.x of Apache Log4j (i.e., Apache Log4j 2). To be more precise, it affects versions from (and including) 2.0-beta9 to 2.14.1.

      afectado

    1. widely used in business system development, included in various open-source libraries, and directly embedded in major software applications

      use

    2. The vulnerability, tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1

      afectados

    3. Workarounds To help mitigate the risk of this vulnerability until the more complete security update can be applied, customers should consider the following mitigations steps. A service restart will be required for these changes to take effect. These workarounds should not be considered a complete solution to resolve this vulnerability: In case the Log4j 2 vulnerable component cannot be updated, Log4J 2 versions 2.10 to 2.14.1 support the parameter log4j2.formatMsgNoLookups to be set to ‘true’, to disable the vulnerable feature. Ensure this parameter is configured in the startup scripts of the Java Virtual Machine: -Dlog4j2.formatMsgNoLookups=true.Alternatively, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change.Kubernetes administrators may use “kubectl set env” to set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to apply the mitigation across Kubernetes clusters where the Java applications are running Log4j 2.10 to 2.14.1, effectively reflecting on all pods and containers automatically.For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

      Workarounds

    1. Log4j version 1.x, which is not affected by this issue.

      1.x

    2. It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue, but this is only a partial mitigation

      JDK version

    1. CVE-2021-44228 The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0. Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host. One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it. For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

      log4j-CVE