Awesome Log4Shell
A curated list of awesome links related to the Log4Shell vulnerability.
Contents
- Explanation
- Videos
- Vulnerable Software
- Detection & Remediation
- Articles
- Twitter Discussions
- Examples & Proofs of Concept
- Memes
- Contribute
Explanation
- MITRE CVE - Official CVE page from MITRE.
- Snyk Blog Writeup - Java Champion Brian Vermeer's in depth explanation of the Log4Shell vuln.
- SANS - Initiall analysis and follow up.
- Fastly Blog - Impact, how it works, and timeline.
- Luna Sec - Good tips for detection and remediation.
- Tech Solvency - List of affected vendors and writeups.
- Cado Security - Analysis of the attacks in the wild.
- Rapid7 - Analysis, remediation, and detection.
- Cloudflare - Cloudflare analysis of payloads in the wild.
- Exploiting JNDI injections in Java - Previous article on JNDI injection exploits.
- SLF4J - Comments from SLF4J project.
- Understanding Log4Shell: vulnerability, attacks and mitigations - Slide deck for webcast (see under videos) by Roy van Rijn & Bert Jan Schrijver (OpenValue).
- MOGWAI LABS vulnerability notes: Log4Shell - General explanation of Log4Shell (CVE-2021-44228).
- Log4j Vulnerability β Things You Should Know - Redhunt Labs coverage around log4shell: Explanation, detection and remediation. Along with tool for mass scanning targets.
- TL;DR: Log4j Vulnerability - Bite sized technical summary of the vulnerability.
Videos
- CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE) - John Hammond, Cybersecurity Researcher @HuntressLabs.
- Blackhat2016 - JNDI manipulation to RCE Dream Land - Blackhat talk from 2016 describing the exploit path.
- Understanding Log4Shell: vulnerability, attacks and mitigations - Webcast by Roy van Rijn & Bert Jan Schrijver (OpenValue).
- Log4Shell Deep Dive - breakpoint your way through the JNDI and HTTP calls leading to an RCE.
- Log4JShell Vulnerability Explained in Simple Terms
- The Log4j vulnerability | The Backend Engineering Show - Explanation of the Log4Shell vulnerability(CVE-2021-44228).
- Can we find Log4Shell with Java Fuzzing?
π₯ (CVE-2021-44228 - Log4j RCE) - Finding the famous Java Log4Shell RCE (CVE-2021-44228) using fuzzing.
Vulnerable Software
- NCSC-NL repository - National Cyber Security Centrum list of vulnerable/non-vulnerable software.
- Swithak - List of vendor advisories related to log4shell.
- Elastic - Deep dive into which versions of Elastic are vulnerable and how to fix.
- CISA - CISA list of vulnerable software.
Detection & Remediation
- Snyk Detection and Remediation - Find and fix using Snyk.
- Remediation cheat sheet - Remediation cheat sheet from Snyk.
- OWASP Core Rule Set - Detection and Bypass guidelines
- Log4Shell Tester from Trendmicro - Tool to determine vulnerability.
- Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE) by Sysdig - Mitigation steps and explanation using Falco and Sysdig Secure.
- Curated Intelligence Trust Group - Aggregated list of indicators of compromise feeds and threat reports.
- Community Sourced Log4J Attack Surface - List of Log4j attack vectors in popular manufacturers' products.
- MSSP Alert - Good mitigation practices.
- log4shell-detector - Checks logs for exploitation attempts.
- Huntress vulnerability tester - Web based tester.
- Container scanners - How to detect using container scanners.
- Bash IOC scanner - Latest Fenrir supports checking for log4shell compromise and vulnerability.
- Burp Plugin detector - Burp plugin to detect vulnerable hosts.
- Threatview IP list - List of IP addresses currently exploiting log4shell.
- LizardLabs query tool - Search for vulnerable jar files using MS Log Parser.
- Canary tokens - Use a canary token to test for vulnerable systems.
- Exploit Strings data - JNDI exploit strings seen in the wild by Rapid7.
- log4j-detector - Detects vulnerable log4j versions on your file-system within any application.
- log4jshell-bytecode-detector from CodeShield - Analyses jar files and detects the vulnerability on a class file level. The repository additionally contains a list of Artifacts on Maven Central that are also affected.
- Mitigate attacks using Nginx - A simple and effective way to use Nginx (using a Lua block) to protect against attacks.
- OWASP Core Rule Set - Modsecurity CRS rules.
- AWS daemonset - Daemonset from AWS to mitigate vulnerable instances in Kubernetes.
- Hotpatch tool - JVM level hotpatch tool from AWS.
- Public hunt for WAF bypasses - Public hunt for WAF bypasses.
- log4j-resources - Resources and guides collected by GitLab's Developer Evangelism team.
- How Traefik Plugins Protect Your Apps Against the Log4j Vulnerability - How Traefik Plugins Protect Your Apps Against the Log4j Vulnerability.
- Google Cloud recommendations for investigating and responding to the Apache βLog4j 2β vulnerability - Google Cloud recommendations for Detection and Remediation of the Log4Shell vulnerability.
- Security Vulnerability in Minecraft: Java Edition - Remediation for Java minecraft servers affected by log4j
Articles
- Log4Shell: Redefining Painful Disclosure
- The Gift of It's Your Problem Now
- Discoveries as a Result of the Log4j Debacle
- LOG4J / LOG4SHELL (PART 1): MISCONCEPTIONS
Twitter Discussions
- Log4Shell spreadsheet - Spreadsheet for defenders listing vendors and products.
- Incredible discussion around Log4j - Best list of vulnerable software, services and patches
Examples & Proofs of Concept
- Log4Shell PoC - Full stack demo including Java LDAP and HTTP servers and vulnerable Java client. NOTE: It's part of the larger
java-goof
repo. Look at thelog4shell-goof
module. - Log4Shell vulnerable Java application - Spring Boot web application vulnerable to Log4shell for easy reproduction.
- Various Log4Shell PoC - Analysis of various products with curl-based proof of concepts. Includes Struts2, Solr, VSphere, Druid, James, and more.
- Gamifying Log4j Vulnerability - Exploit Log4J in example code.
- CVE-2021-44228 log4j Exploitation in Action: RCE reverse shell on AWS cloud - Log4Shell exploitation with RCE reverse shell on AWS Cloud.
- Analysis of the Log4Shell vulnerability in addition to protection codes and unit tests.
- Tool to retrieve the payload from a server delivering Log4Shell payloads.
Memes
- Log4J memes - Sometimes we still need a smile.
Contribute
Contributions welcome! Read the contribution guidelines first.