log4j-affected-db
log4shell-vulnerable-app
Our great sponsors
| log4j-affected-db | log4shell-vulnerable-app | |
|---|---|---|
| 30 | 5 | |
| 1,117 | 1,087 | |
| - | - | |
| 7.1 | 0.0 | |
| over 1 year ago | 11 months ago | |
| Shell | Java | |
| Creative Commons Zero v1.0 Universal | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
log4j-affected-db
- how to remidiate log4j with PDQ deploy
-
Log4j vulnerabilities
Affected software is listed here https://github.com/cisagov/log4j-affected-db
-
Log4J – A 10 step mitigation plan
Check what other software you are running and see if the software is vulnerable according to the list published by the NCSC-NL. CISA.gov has a similar registry.
- New Log4J CVE
- Mitigating log4j in Windows?
-
Uhhh has anyone else not had to change anything for Log4j?
I thought the same thing last Friday, then I ran this: (find / -name 'log4j*') found a few web servers with log4j running. Then went through this list: https://github.com/cisagov/log4j-affected-db found 2 more Internet facing servers on the list.
-
Log4j 2.15.0 – Previously suggested mitigations may not be enough
The major risk here probably isn't in-house developed code but versions of log4j used in a vast array of packaged software and systems.
https://github.com/cisagov/log4j-affected-db <-- that's a (probably incomplete) list of affected vendors and applications, and in many cases the vendor can't even say yet whether they're vulnerable.
-
2021-12-15: Log4Shell (CVE-2021-44228 & CVE-2021-45046) Update
CISA Log4j (CVE-2021-44228) Vulnerability Guidance
Quick thought, if I might: this CVE is going to be difficult for all vulnerability scanners, including Spotlight, as vendors that bundle vulnerable versions of Log4j are not issuing new CVEs for their product — they are piggybacking on 44228. For this reason, vuln. management solutions have to try and write a rule sets for a single CVE that covers tens of thousands of pieces of software. You can see a large, but not exhaustive, list of software that is impacted here.
- PSA: When there's a 0day, don't trust random people on the internet. Verify everything.
log4shell-vulnerable-app
- Finding the "practical" component for my thesis on Log4Shell
-
PSA: When there's a 0day, don't trust random people on the internet. Verify everything.
If you aren't sure exactly how this works I recommend trying the log4shell-vulnerable-app and test it yourself with something like dnslog.cn in a controlled/sandboxed environment.
- Log4j Vulnerability Cheatsheet
What are some alternatives?
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
log4shell-tools - Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
ledger-live-desktop - ⛔️ DEPRECATED - Ledger Live (Desktop)
ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
log4j-scan - A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
aegis4j - A Java agent that disables platform features you don't use, before an attacker uses them against you.
Log4j-RCE-Scanner - Remote command execution vulnerability scanner for Log4j.
Apache Log4j 2 - Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
log4shell - Operational information regarding the log4shell vulnerabilities in the Log4j logging library.
log4jpwn - log4j rce test environment and poc
log4jScanner - log4jScanner provides the ability to scan internal subnets for vulnerable log4j web services
Windowslog4jClassRemover