0-day exploit found in log4j, a popular Java logging package
2 views
Skip to first unread message
Joe Herbers
Dec 10, 2021, 8:45:11 AM12/10/21
to Cinjug Group
Details in the article on vulnerable versions.
Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.
Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
... JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.
Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
... JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.
However, there are other attack vectors targeting this vulnerability which can result in RCE. Depending on what code is present on the server, an attacker could leverage this existing code to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.
Affected Apache log4j Versions
2.0 <= Apache log4j <= 2.14.1
Reply all
Reply to author
Forward
0 new messages