Sunday, December 12, 2021

LOG4SHELL - CVE-2021-44228: Apache Zero-Day

LOG4SHell / Log4j2 -

              Zero-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. 

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and Spring-Boot web applications. 



The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10, the highest possible severity rating.


Who is Impacted:

Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been found to be vulnerable.

 Anybody using Apache frameworks services or any SpringBoot Java-based framework applications uses log4j2 is likely to be vulnerable.


Affected Apache log4j2 Versions



How to SPOT VULNERABLE APPLICATIONS

Ask admin/system team to run a search/grep command on all servers to spot any file with name "log4j2", Then check if it is a vulnerable version or not"


PERMANENT MITIGATION:

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and updated on you system "

Ref Link: https://logging.apache.org/log4j/2.x/download.html


TEMPORARY MITIGATION:

Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications"



Posted by at

Sunday, February 28, 2021

Open Source Static Code Analysis tools - Horusec

Open source tool that performs static code analysis to identify security flaws during the development - Horusec



Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.



In order to achieve our goals, we separated in some delivery phases:

  • Phase 0: Support for all horusec-cli features into horusec-vscode (Q1)
  • Phase 1: Support for the Theia(VsCode Web) (Q1)
  • Phase 2: Support to Flutter, Dart, Bash, Shell, Elixir, Cloujure e Scala in analysis (Q1)
  • Phase 3: New service to manager vulnerabilities founds (Q2)
  • Phase 4: Dependency analysis for all supported languages (Q3)
  • Phase 5: SAST with MVP Semantic Analysis (Q4)
  • Phase 6: DAST with MVP symbolic analysis (Q4)
Horusec Demo:


Download and Installation Ref :

https://github.com/ZupIT/horusec/tree/master/horusec-cli#installing
Posted by at
Labels: , , , , ,
Subscribe to: Posts (Atom)