![]() ![]() ![]() Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker).cisagov/log4j-scanner - CISA has a scanner!.VMware latest workarounds (script to remove class) urgent - Conti ransomware seen leveraging log4shell against VMWare (Cimpanu).CISA has issued Emergency Directive 22-02 - required patching timeline changed from Dec 24 to immediately. ![]() ![]() Apache security summary - regularly updated - summary of valid workarounds below.Version 2.17 is out - fixes the DoS, but IMO if your vendor only has a 2.16-based fix, apply that now instead of waiting (CVSS 10 is more urgent).Newer NIST CVE 2021-45046 - changed to RCE 9.0 (but requires non-default config).NOTE: All previous mitigations - based on anything other than upgrading to log4j 2.16 (or higher) or entirely removing JndiLookup classes - are no longer effective mitigation.Worm? - Kevin Beaumont and Marcus Hutchins say not really, because it has a hard-coded LDAP server - but better versions may be feasible soon.Big new joint CISA / Five Eyes mitigation advisory ().CVE-2021-44832 (CVSS 6.6) - do not be alarmed (yet) - it appears to require ability to write a local config file to be exploited ("where an attacker with permission to modify the logging configuration file can construct a malicious configuration").Other product and tool lists - see especially new CISA list on GitHub (but only has public info - see these lists if your product is not listed here).Send updates or suggestions (please include category / context / public (or support-walled) links if you can) Last updated: $Date: 8 20:39:17 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be (Royce Williams), standing on the shoulders of many giants ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |