RCE 0-day exploit found in log4j, a popular Java logging package

This page summarizes the projects mentioned and recommended in the original post on /r/netsec
Logging Kubernetes Static Analysis Apache Docker

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • Log4jAttackSurface

    • Dig the commit back up: https://github.com/YfryTchsGD/Log4jAttackSurface/tree/31571e29052b91fb64b54fdb7085b45f9a31de3b

  • semgrep-rules

    Semgrep rules registry

    • There is a new semgrep rule to find potential injection points in the source code: https://github.com/returntocorp/semgrep-rules/pull/1650/commits

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • active-scan-plus-plus

    ActiveScan++ Burp Suite Plugin

    • I've put detection for this into ActiveScan++: https://github.com/PortSwigger/active-scan-plus-plus/commit/b485a0744140533d877ce244603502b42f9c6656

  • Apache Log4j 2

    Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.

    • This conversation on the Apache github (based on the research of ceki, who is apparently the mind behind log4j 1.x) would seem to indicate otherwise. Log4j 1.x does not have a lookup mechanism and JMS Appender (which does the lookup for Log4j 1.x) does not have this vulnerability.

  • apache-log4j-rce-poc

    • I published some code with detailed steps 写了下详细的复现步骤 https://github.com/udoless/apache-log4j-rce-poc

  • apache-log4j-rce-poc

    • Proof of Concept

  • Logout4Shell

    Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo

  • CVE-2021-44228-Log4Shell-Hashes

    Hashes for vulnerable LOG4J versions

    • For example search for the vulnerable files: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes

  • ThreatMapper

    Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.

    • All of us are scrambling to upgrade to 2. This OSS tool can help prioritise attack paths using runtime context. We had a potential exposure due to Elasticsearch, found out and patched. https://github.com/deepfence/ThreatMapper

  • Log4JShell-Bytecode-Detector

    Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

    • u/sanitybit My colleagues have written a detector for the vulnerability: https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Log4j: Between a Rock and a Hard Place

    7 projects | news.ycombinator.com | 11 Dec 2021

  • ☸️ Kubernetes: From your docker-compose file to a cluster with Kompose

    3 projects | dev.to | 9 Mar 2024

  • Homelab vulnerability/virus scanner

    1 project | /r/docker | 7 Feb 2023

  • KWOK : mettre en place un cluster de milliers de nœuds en quelques secondes …

    9 projects | dev.to | 20 Nov 2022

  • Sublime Music - A FLOSS desktop client for Subsonic API servers (Airsonic, Navidrome, Gonic, etc)

    3 projects | /r/selfhosted | 28 Jul 2022