![]() "hearing folks compare #log4shell is "as bad as heartbleed" - imo it's much, much worse.Deadlines: CISA orders federal agencies to patch Log4Shell by December 24th.Cloud: Multiple large providers also affected (but this guide focuses mostly on customer-managed side). ![]() (For those not familiar, these are terms of art in the NMS (Network Monitoring/Management Systems)/logging space - ref, ref, ref) Chaining them together for exploitation must also be considered. Log forwarding: logging infrastructure often has many "northbound" (send my logs to someone) and "southbound" (receiving logs from someone) forwarding/relaying topologies.Appliances: Don't forget appliances and other opaque or third-party systems that may be using Java server components, but won't be detected by un-credentialed vulnerability scanning or simple exploitation tests.Also, presence of 1.x is not good - 1.x went EOL in August 2015! Affected versions: log4j 2.x confirmed - log4j 1.x only indirectly (previous information disclosure vulns, harder to exploit) (in some configurations). ![]() Downstream projects: until proven otherwise, assume anything that includes log4j, or depends on something that does, is affected in a way that requires mitigation see below.Targets: Servers and clients that run Java and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point.Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker).Apache is now publishing known post-EOL log4j 1.2 vulnerabilities (even though they will not be fixed) (. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |