This path is partially mitigated by the use of newer Java runtimes that block the URL-based class loader by default. The first examples of this used the $ path, which could lead to arbitrary code being loaded from a remote URL. ![]() The most significant impact is that an attacker can cause a string to reach the logger, that when processed by Log4J, executes arbitrary code. ![]() This issue is widespread because many developers were unaware that Log4J was dangerous to use with unfiltered input. This particular vulnerability - tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10 - resides in Log4J’s lookup capability, combined with JNDI (Java Naming and Directory Interface). Internet discussion was abuzz on December 9th about an 0-day vulnerability that can yield remote code execution (RCE) in Apache’s popular Log4J logging library for Java. runZero is not a vulnerability scanner, but you can share runZero’s results with your security team for investigation and mitigation. ![]() RunZero can help you build an up-to-date asset inventory and search for assets that may be affected by Log4J vulnerabilities, such as Log4shell.
0 Comments
Leave a Reply. |