The video has been created to explain Log4J and a little about the Log4Shell vulnerability.
Term | Definition |
Apache License | The Apache License is a permissive free software license written by the Apache Software Foundation |
API | Application Programming Interface – A way to allow software to communicate using pre-agreed standards and language |
Burp Suite | A Web Application attack tool/suite of tools |
Defence In Depth* | The idea that you have a layered security approach, rather than relying on a single technology or system for defence |
HTTP Header | Server/Client communications portion of web browsing traffic |
Java | Java is a high-level, class-based, object-oriented programming language |
JNDI | Java Naming and Directory Interface |
LDAP* | Lightweight Directory Access Protocol – The protocol the attacker is using or simulating in order to deliver the malicious code |
Lookup* | Utilising a built in commands to allow variables to be retrieved |
Open Source | The original source code is made freely available and may be redistributed and modified |
RMI | Remote Method Invocation – Java API |
Sanitised Inputs | Validating the input is what is expected for the field, further reading – https://cwe.mitre.org/data/definitions/20.html |
Security Assessment | This point could be it’s own video. However in short: this can range from a Vulnerability assessment, simulating an attacker through to working with your internal teams to help threat hunting and defending |
Vulnerability* | A weakness in Software code that can be used by an attacker to exploit that system |
*In the context of the Log4J video. With a different context the definition may change.
Do I have software that is vulnerable?
Check out this page from the Dutch NCSC around known software and it’s vulnerability status, and a post from Bleeping Computer that shows a list of known vulnerable applications
- https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
- https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
Video and Glossary Refences & thanks:
- https://logging.apache.org/log4j/2.x/
- https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know
- https://github.com/NCSC-NL/log4shell/blob/main/software/README.md (did we use it?)
- https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ (did we use it)
- https://docs.oracle.com/javase/jndi/tutorial/getStarted/overview/index.html
- https://www.ietf.org/rfc/rfc2255.txt
- https://ldap.com/ldap-urls/
Pingback: Week 03 – 2022 – This Week In 4n6