runZero is not a vulnerability scanner, but you can share runZero’s results with your security team for investigation and mitigation. Internet discussion was abuzz on December 9th about an 0-day vulnerability that can yield remote code execution (RCE) in Apache’s popular Log4J logging library for Java. This particular vulnerability - tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10 - resides in Log4J’s lookup capability, combined with JNDI (Java Naming and Directory Interface). This issue is widespread because many developers were unaware that Log4J was dangerous to use with unfiltered input. The most significant impact is that an attacker can cause a string to reach the logger, that when processed by Log4J, executes arbitrary code. The first examples of this used the $ path, which could lead to arbitrary code being loaded from a remote URL. This path is partially mitigated by the use of newer Java runtimes that block the URL-based class loader by default. Unfortunately, a modern version of Java may not be enough to prevent exploitation, as the application itself may expose classes that can be used to run arbitrary code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |