Log4Shell The Most Dangerous Java Vulnerability for Years
A zero-day exploit, also known as "Log4Shell", was discovered in the wild on December 9, 2021. It targeted a crucial RCE vulnerability within Log4j, an open-source logging program. According to NIST, affected versions of Log4j have JNDI features in configuration, log messages and parameters that don't defend against LDAP controlled by attackers and other JNDI connected endpoints. Minecraft servers Numerous platforms appear to have been affected-including Apple, Cloudflare, and Twitter, as well as the plethora of popular Java ecosystem products with Log4j integrated into their software supply chains like Logstash, Apache Kafka, Elasticsearch and even Minecraft.
The Log4j vulnerability is being seen as the most serious in the last few years. It could even be more severe than the CVE-2017-5638 flaw in Apache Struts RCE that led to Equifax's massive breach. Per Bugcrowd Founder and CTO Casey Ellis, this new vulnerability is a poisonous mix combining immense attack surface, easy exploit dependencies that are difficult to avoid, and extreme the degree of virality. It's a reminder of the way software supply chains have become extremely complex with inter-dependencies that are usually beyond the reach and reach of automated tools such as scanners.
It will provide a moment of clarity for those companies that haven't yet to implement a platform-powered continuous security testing approach. This method combines technology, data and human intelligence to find and address vulnerabilities before they cause harm. Minecraft servers In a future blog post we'll explain how this approach has helped Bugcrowd verify, validate, contextualize, and communicate Log4Shell exposures to customers within hours. Minecraft servers
We are available to assist you with the following:
1. For continuous crowd-powered, continuous detection of Log4Shell exposures in your area for a period of 30 days, you can avail the "Log4j on Fire" bug bounty solution. Get started and read the details. 2. Deeper insights about the risk profile of this vuln as well as its the impact it could have on the future in this Security Flash video featuring Casey Ellis and Application Security Engineer Adam Foster. 3. Live Q&A session with Casey next week (Monday December. 20 at 10am PST) to answer your questions on identifying, safeguarding, and using best practices to combat the Log4j vulnerability and Log4Shell exploit. Register now to reserve your spot. 4. One look at all our Log4j/Log4Shell resources here.
We are extremely happy for our customers and researchers who have put in a lot of effort to make our digitally connected world more secure during this crisis. We'll get it done, just like we always do!