Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.
The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.
Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
| Doyensec Vulnerability Advisory | |
| CVE-2021-27291 | |
| ======================================================================= | |
| * Regular Expression Denial of Service (REDoS) in pygments | |
| * Affected Product: pygments v1.1+, fixed in 2.7.4 | |
| * Vendor: https://github.com/pygments | |
| * Severity: Medium | |
| * Vulnerability Class: Denial of Service | |
| * Status: Fixed | |
| * Author(s): Ben Caller (Doyensec) |
| id: nuclei-rce | |
| info: | |
| name: Nuclei Template RCE by Chromium | |
| author: c3l3si4n | |
| severity: critical | |
| tags: rce,hackback | |
| headless: | |
| - steps: |
| spawnto | |
| https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile | |
| https://raw.githubusercontent.com/kvcallfield/Cobalt-Strike-C2-profiles/cae44634d57c0d8a099e50f6d4e9b73acaaab9d6/amazon2.profile | |
| https://raw.githubusercontent.com/KevinCooper/24AF-CyberChallenge/67f531777f7912c7129f633f43e06fba79c5f3e2/CobaltStrike/cobalt.profile | |
| https://raw.githubusercontent.com/webcoderz/agressor-scripts-/950064776853cf4dd7403d0f75b5306fe275fcc3/Malleable-C2-Profiles-master/APT/meterpreter.profile | |
| https://raw.githubusercontent.com/hadesangel/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile | |
| https://raw.githubusercontent.com/ianxtianxt/Malleable-C2-Profiles/07fd3b45c4166c9aecdcfa54cddc905c22f6ff85/APT/meterpreter.profile | |
| https://raw.githubusercontent.com/seclib/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile | |
| https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/390937aec01e0bcdaf2331227 |
this is a rough draft and may be updated with more examples
GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?
Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to
| Resource | Description |
|---|---|
| Kube Academy | https://kube.academy/ |
| kuernetes-101 | https://kube.academy/courses/kubernetes-101/ |
| Docs Home | https://kubernetes.io/docs/home/ |
| CKS CKA CKAD Simulator | https://killer.sh/ |
| udemy | https://www.udemy.com/topic/certified-kubernetes-administrator-cka/ |
| dev.to | https://dev.to/liptanbiswas/ckad-practice-questions-4mpn |
| #!/usr/bin/env bash | |
| # CVE-2019-11253 | |
| # https://github.com/kubernetes/kubernetes/issues/83253 | |
| # Shout out: @raesene for poc collab, @iancoldwater + @mauilion for | |
| # HONKing inspiration and other guidance. | |
| # Description: In Kubernetes 1.13 and below, the default configuration | |
| # is that system:anonymous can request a selfsubjectaccessreview | |
| # via mechanisms such as "kubectl auth can-i". This request can | |
| # include POSTed YAML, and just the act of trying to parse it causes |
Many different applications claim to support regular expressions. But what does that even mean?
Well there are lots of different regular expression engines, and they all have different feature sets and different time-space efficiencies.
The information here is just copied from: http://regular-expressions.mobi/refflavors.html