Re: log4j trivial RCE (similar to ShellShock) - "Log4Shell" CVE-2021-44228
toggle quoted messageShow quoted text
All previous mitigations - based on anything other than upgrading to log4j 2.16 or entirely removing JndiLookup classes - are no longer effective mitigation.
If your vendors have not yet supplied patches that upgrade to 2.16, your best bet may be to remove the JndiLookup class.
This page from Apache itself is the best summary of the latest practical upshot of vulnerability and effective mitigation: https://logging.apache.org/log4j/2.x/security.html
For detection and mitigation on Unix-likes, this is a really good tool, based on pure shell (so highly portable), written by Yahoo's security team. By default it just detects. It has an optional flag that will make a zipped backup copy of a jar or war file, and then attempt to remove the affected class.
https://github.com/yahoo/check-log4j (Unix-likes only)
See my page for other mitigations - I'm updating best-effort in my spare time. My page also has other major lists you can check for your products if you haven't heard back from your vendor yet.
(Also for folks who play or have kids who do, update all Minecraft if you haven't already)
On Fri, Dec 10, 2021 at 7:42 AM Royce Williams <royce@...> wrote: