The video has been created to explain Log4J and a little about the Log4Shell vulnerability.
|Apache License||The Apache License is a permissive free software license written by the Apache Software Foundation|
|API||Application Programming Interface – A way to allow software to communicate using pre-agreed standards and language|
|Burp Suite||A Web Application attack tool/suite of tools|
|Defence In Depth*||The idea that you have a layered security approach, rather than relying on a single technology or system for defence|
|HTTP Header||Server/Client communications portion of web browsing traffic|
|Java||Java is a high-level, class-based, object-oriented programming language|
|JNDI||Java Naming and Directory Interface|
|LDAP*||Lightweight Directory Access Protocol – The protocol the attacker is using or simulating in order to deliver the malicious code|
|Lookup*||Utilising a built in commands to allow variables to be retrieved|
|Open Source||The original source code is made freely available and may be redistributed and modified|
|RMI||Remote Method Invocation – Java API|
|Sanitised Inputs||Validating the input is what is expected for the field, further reading – https://cwe.mitre.org/data/definitions/20.html|
|Security Assessment||This point could be it’s own video. However in short: this can range from a Vulnerability assessment, simulating an attacker through to working with your internal teams to help threat hunting and defending|
|Vulnerability*||A weakness in Software code that can be used by an attacker to exploit that system|
*In the context of the Log4J video. With a different context the definition may change.
Do I have software that is vulnerable?
Check out this page from the Dutch NCSC around known software and it’s vulnerability status, and a post from Bleeping Computer that shows a list of known vulnerable applications
Video and Glossary Refences & thanks:
- https://github.com/NCSC-NL/log4shell/blob/main/software/README.md (did we use it?)
- https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ (did we use it)