Awesome Log4Shell

A curated list of awesome links related to the Log4Shell vulnerability.

Contents

• Explanation
• Videos
• Vulnerable Software
• Detection & Remediation
• Articles
• Twitter Discussions
• Examples & Proofs of Concept
• Memes
• Contribute

Explanation

• MITRE CVE - Official CVE page from MITRE.
• Snyk Blog Writeup - Java Champion Brian Vermeer's in depth explanation of the Log4Shell vuln.
• SANS - Initiall analysis and follow up.
• Fastly Blog - Impact, how it works, and timeline.
• Luna Sec - Good tips for detection and remediation.
• Tech Solvency - List of affected vendors and writeups.
• Cado Security - Analysis of the attacks in the wild.
• Rapid7 - Analysis, remediation, and detection.
• Cloudflare - Cloudflare analysis of payloads in the wild.
• Exploiting JNDI injections in Java - Previous article on JNDI injection exploits.
• SLF4J - Comments from SLF4J project.
• Understanding Log4Shell: vulnerability, attacks and mitigations - Slide deck for webcast (see under videos) by Roy van Rijn & Bert Jan Schrijver (OpenValue).
• MOGWAI LABS vulnerability notes: Log4Shell - General explanation of Log4Shell (CVE-2021-44228).
• Log4j Vulnerability – Things You Should Know - Redhunt Labs coverage around log4shell: Explanation, detection and remediation. Along with tool for mass scanning targets.
• TL;DR: Log4j Vulnerability - Bite sized technical summary of the vulnerability.

Videos

• CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE) - John Hammond, Cybersecurity Researcher @HuntressLabs.
• Blackhat2016 - JNDI manipulation to RCE Dream Land - Blackhat talk from 2016 describing the exploit path.
• Understanding Log4Shell: vulnerability, attacks and mitigations - Webcast by Roy van Rijn & Bert Jan Schrijver (OpenValue).
• Log4Shell Deep Dive - breakpoint your way through the JNDI and HTTP calls leading to an RCE.
• Log4JShell Vulnerability Explained in Simple Terms
• The Log4j vulnerability | The Backend Engineering Show - Explanation of the Log4Shell vulnerability(CVE-2021-44228).
• Can we find Log4Shell with Java Fuzzing? 🔥 (CVE-2021-44228 - Log4j RCE) - Finding the famous Java Log4Shell RCE (CVE-2021-44228) using fuzzing.

Vulnerable Software

• NCSC-NL repository - National Cyber Security Centrum list of vulnerable/non-vulnerable software.
• Swithak - List of vendor advisories related to log4shell.
• Elastic - Deep dive into which versions of Elastic are vulnerable and how to fix.
• CISA - CISA list of vulnerable software.

Detection & Remediation

• Snyk Detection and Remediation - Find and fix using Snyk.
• Remediation cheat sheet - Remediation cheat sheet from Snyk.
• OWASP Core Rule Set - Detection and Bypass guidelines
• Log4Shell Tester from Trendmicro - Tool to determine vulnerability.
• Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE) by Sysdig - Mitigation steps and explanation using Falco and Sysdig Secure.
• Curated Intelligence Trust Group - Aggregated list of indicators of compromise feeds and threat reports.
• Community Sourced Log4J Attack Surface - List of Log4j attack vectors in popular manufacturers' products.
• MSSP Alert - Good mitigation practices.
• log4shell-detector - Checks logs for exploitation attempts.
• Huntress vulnerability tester - Web based tester.
• Container scanners - How to detect using container scanners.
• Bash IOC scanner - Latest Fenrir supports checking for log4shell compromise and vulnerability.
• Burp Plugin detector - Burp plugin to detect vulnerable hosts.
• Threatview IP list - List of IP addresses currently exploiting log4shell.
• LizardLabs query tool - Search for vulnerable jar files using MS Log Parser.
• Canary tokens - Use a canary token to test for vulnerable systems.
• Exploit Strings data - JNDI exploit strings seen in the wild by Rapid7.
• log4j-detector - Detects vulnerable log4j versions on your file-system within any application.
• log4jshell-bytecode-detector from CodeShield - Analyses jar files and detects the vulnerability on a class file level. The repository additionally contains a list of Artifacts on Maven Central that are also affected.
• Mitigate attacks using Nginx - A simple and effective way to use Nginx (using a Lua block) to protect against attacks.
• OWASP Core Rule Set - Modsecurity CRS rules.
• AWS daemonset - Daemonset from AWS to mitigate vulnerable instances in Kubernetes.
• Hotpatch tool - JVM level hotpatch tool from AWS.
• Public hunt for WAF bypasses - Public hunt for WAF bypasses.
• log4j-resources - Resources and guides collected by GitLab's Developer Evangelism team.
• How Traefik Plugins Protect Your Apps Against the Log4j Vulnerability - How Traefik Plugins Protect Your Apps Against the Log4j Vulnerability.
• Google Cloud recommendations for investigating and responding to the Apache “Log4j 2” vulnerability - Google Cloud recommendations for Detection and Remediation of the Log4Shell vulnerability.
• Security Vulnerability in Minecraft: Java Edition - Remediation for Java minecraft servers affected by log4j

Articles

• Log4Shell: Redefining Painful Disclosure
• The Gift of It's Your Problem Now
• Discoveries as a Result of the Log4j Debacle
• LOG4J / LOG4SHELL (PART 1): MISCONCEPTIONS

Twitter Discussions

• Log4Shell spreadsheet - Spreadsheet for defenders listing vendors and products.
• Incredible discussion around Log4j - Best list of vulnerable software, services and patches

Examples & Proofs of Concept

• Log4Shell PoC - Full stack demo including Java LDAP and HTTP servers and vulnerable Java client. NOTE: It's part of the larger java-goof repo. Look at the log4shell-goof module.
• Log4Shell vulnerable Java application - Spring Boot web application vulnerable to Log4shell for easy reproduction.
• Various Log4Shell PoC - Analysis of various products with curl-based proof of concepts. Includes Struts2, Solr, VSphere, Druid, James, and more.
• Gamifying Log4j Vulnerability - Exploit Log4J in example code.
• CVE-2021-44228 log4j Exploitation in Action: RCE reverse shell on AWS cloud - Log4Shell exploitation with RCE reverse shell on AWS Cloud.
• Analysis of the Log4Shell vulnerability in addition to protection codes and unit tests.
• Tool to retrieve the payload from a server delivering Log4Shell payloads.

Memes

• Log4J memes - Sometimes we still need a smile.

Contribute

Contributions welcome! Read the contribution guidelines first.