Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)
From the video, you will learn what is log4j vulnerability is, how to create a log4j exploit to check if your Java app is vulnerable and how to fix the vulnerability before the bad guys detect it.
✉️ Sign up for my newsletter✉️
https://mailing.bugbountyexplained.com/
Log4j lookups: https://logging.apache.org/log4j/2.x/manual/lookups.html
Official recommendations: https://logging.apache.org/log4j/2.x/security.html
Tool used: https://github.com/welk1n/JNDI-Injection-Exploit
List of affected companies: https://github.com/cisagov/log4j-affected-db
Sources:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://twitter.com/marcioalm/status/1471740771581652995
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
Follow me on twitter:
https://twitter.com/gregxsunday
Timestamps:
00:00 Intro
00:29 What are JNDI lookups in Log4j?
01:45 Base version of the attack
03:00 The fix for Log4j 2.x before 2.10
03:19 Why fix for versions 2.10 before 2.15 is not working (CVE-2021-45046)
06:09 The fixes and bypasses for Log4j 2.15 (CVE-2021-45046)
08:11 What about version 2.16? (CVE-2021-45105)
08:41 Detecting the vulnerability
10:45 Reproducing the Log4j RCE
12:07 Attacking servers that are firewalled-off
#Log4j
Add comment