Collaborate Disseminate
Considering how log4shell seems trivial to exploit and the important control level it gives to an attacker, should we wipe everything affected and start over?
For example, we find out that a publicly accessible server in production has log… Continue reading Log4shell – Should affected servers be "nuked from the orbit"?
After the log4j vulnerability was announced, I scanned my Mac to see if any applications were using it.
find / -name "*log4j*" 2>/dev/null
Here’s the output that indicates that Xcode has log4j bundled in:
./System/Volumes/Dat… Continue reading Is Xcode vulnerable due to log4j?
Latest episode – listen now! (Yes, there are plenty of critical things to go along with Log4Shell.) Continue reading S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]
In regard to the recent CVE-2021-44228 vulnerability, I’ve noticed that even the newest version of atomikos-util 5.0.8 is using a vulnerable version of Log4J 2.2 – as an internal dependency..
I was struggling to find any information from t… Continue reading Atomikos dependency and CVE-2021-44228
After a brief discussion of the Log4Shell vulnerability panic, we discuss how Virgin Media has got itself into hot water, a fat-fingered fumble at the Bored Ape Yacht Club, and how to hack around your girlfriend’s facial recognition.
All this and mo… Continue reading Smashing Security podcast #256: Virgin Media just won’t take no for an answer, NFT apes, and bad optics
We’re currently trying to prioritize our mitigations for CVE-2021-44228.
The obvious priority is to deal with any Internet facing java (apache?) applications that use a vulnerable log4j library and\or Java binary first.
For multi-user Linu… Continue reading Clarification on log4j Service Requirements
I am using Apache Log4j 2 version 2.12.1. It is subject to CVE-2021-44228, the log4shell vulnerability. The vulnerability is fixed in version 2.15.0. I would like to patch the source code in my 2.12.1 version without completely upgrading t… Continue reading log4shell source code patch
Considering that a RCE vulnerability has been recently found in the log4j library, a library used in a lot more applications than I thought. The following question comes to my mind.
If an attacker successfully exploits log4shell, does the … Continue reading At which OS privilege level log4j usually runs?
Does Log4Shell ("CVE-2021-44228") affect K8S/Containers and/or function-as-a-service (FaaS) running image with affected log4j?
I would like to understand if this vulnerability affects ephemeral setups such as K8S/FaaS and how JND… Continue reading Does Log4Shell ("CVE-2021-44228 ") affect K8S/Containers and function-as-a-service (FaaS)?
If a version of log4j2 is present on a server (say, 2.5 or 2.7) but the JndiLookup class does not exist in any jars, does this mean this specific implementation of log4j2 is not vulnerable to Log4Shell?
Continue reading Absence of JndiLookup class on vulnerable version number… Log4Shell safe?