Posts
Log4j
A critical exploit in widespread Java library has been found, disrupting much of the internet as server admins scramble to fix it. The vulnerable component, log4j, is used everywhere as an included library, so you will need to check your servers and make sure they’re updated. How Does This Exploit Work? As far as exploits go, the log4j ulnerability is by far one of the worst in the last few years, scoring a rare 10/10 on the CVSS scale, and is going to haunt the entire internet for many years to come. What’s worse is that log4j isn’t an application—it’s an open source library used by many other applications. You may not have it installed directly; it might be included in other .jar files, or installed by other applications as a dependency. Essentially, it allows attackers to send text to your application, and if it logs it somewhere (eg., logging a user controlled agent string in a web server), you server will execute malicious code. The format of the text looks like the ...