This video is an explanation of the recent RCE vulnerability in Log4j (CVE-2021-44228, CVE-2021-45046) that affect many Java applications across the whole Internet. Importantly, the initial fix deployed can also be bypassed so even those who patched may still be vulnerable.
From the video, you will learn what is log4j vulnerability is, how to create a log4j exploit to check if your Java app is vulnerable and how to fix the vulnerability before the bad guys detect it.

✉️ Sign up for my newsletter✉️
https://mailing.bugbountyexplained.com/

Log4j lookups: https://logging.apache.org/log4j/2.x/manual/lookups.html
Official recommendations: https://logging.apache.org/log4j/2.x/security.html
Tool used: https://github.com/welk1n/JNDI-Injection-Exploit
List of affected companies: https://github.com/cisagov/log4j-affected-db
Sources:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://twitter.com/marcioalm/status/1471740771581652995

? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215

Follow me on twitter:
https://twitter.com/gregxsunday

Timestamps:
00:00 Intro
00:29 What are JNDI lookups in Log4j?
01:45 Base version of the attack
03:00 The fix for Log4j 2.x before 2.10
03:19 Why fix for versions 2.10 before 2.15 is not working (CVE-2021-45046)
06:09 The fixes and bypasses for Log4j 2.15 (CVE-2021-45046)
08:11 What about version 2.16? (CVE-2021-45105)
08:41 Detecting the vulnerability
10:45 Reproducing the Log4j RCE
12:07 Attacking servers that are firewalled-off

#Log4j

Add comment

Your email address will not be published. Required fields are marked *