Tag log4shell

This log4j exploit = remote code execution in basically everything Arbitrary code execution in iCloud, Twitter, Steam, CloudFlare, Amazon, Tesla, Baidu, Tencent This may well be devastating 0day RCE exploit that has ever been dropped in all of history. github.com/YfryTchsGD/Log…

Mustafa Al-Bassam (@musalbas)Fri, 10 Dec 2021 13:28 GMT

https://twitter.com/volker_simonis/status/1469256987196100608

Howto detect if affected: Start netcat parallel to your app: "nc -lp 1234", then type the following into app where it gets logged (e.g. the query string of your search): "${jndi:ldap://127.0.0.1:1234/abc}" If you then see garbage/emojis in the netcat console your're vulnerable!

Uwe Schindler 👮💳💉💉 (@thetaph1)Fri, 10 Dec 2021 11:51 GMT

I've written a simple (i.e. standalone, no dependencies) Java program which patches JndiLookup.lookup() to return a fixed string and not parse its arguments. This should fix CVE-2021-44228 (i.e. RCE in Log4j) without restarting your JVM process. #Log4J github.com/simonis/Log4jP…

Volker Simonis (@volker_simonis)Fri, 10 Dec 2021 10:45 GMT

I just knocked up a quick JavaAgent that works around the log4j zero day: github.com/stuartwdouglas…. It basically just nulls out the JndiLookup class in log4j.

Stuart Douglas (@stuartwdouglas)Fri, 10 Dec 2021 06:27 GMT

https://twitter.com/jacobian/status/1469131850962518017

I deleted an incorrect tweet about mitigations. Here's the correction: PoC is here: github.com/tangxiaofeng7/… (and it's legit, I've seen verification). Mitigation: update to log4j 2.10 and set the env var LOG4J_FORMAT_MSG_NO_LOOKUPS=true; OR upgrade to 2.15rc1 or above.

jacobian (@jacobian)Fri, 10 Dec 2021 02:35 GMT

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT