Log4J Security Vulnerability: CVE-2021-44228 (Log4Shell) - in 7 minutes or less (PATCH NOW!)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome back to devexplaining channel so today i have a quick security advisor for you uh there's been a nasty exploit for java and log4j uh library and unfortunately that's highly popular one so there's a lot of software that's being affected that's being vulnerable so i wanted to do a quick kind of video and shortly explain what this is about how do you know if you are vulnerable and how do you fix yourself so you are not vulnerable anymore so let's dive into it right now so a few days back there was a kind of a lot of buzz about this new zero day exploit that was found and there is a lot of proof of concept and exploits and even memes around right now for this so who is impacted well if if you are running java and if you are then having this dependency there you might or might not know about it i'll get back to that but if you are uh running java and using log4j as part of the solution then it's highly possible that you are vulnerable there is a lot of things scenarios in which case you might not be vulnerable but let's go to that as well a little bit later so the library dependency that makes you vulnerable is anything that begins from 2.0 and anything that's before 2.15 official so here it says 2.14.1 but also 2.15 release candidates are still vulnerable so permanent mitigation would be that you update simply your library to 2.15 the official release and then you're not vulnerable for this one any anymore there is also some quick fixes to do a temporary mitigation i won't go into details but you can use some java you can use some java command line switches to do not do any lookups for log messages uh that's pretty safe to to be running anyways unless you want to do lookups in in your logging framework there's also a possibility to modify some patterns etc so you can make older versions of log4j uh you can remove the vulnerability from there as well so that's a good news i will drop all the links i'm showing here as usual in the description of my video so you can dive deeper and really fix things for you but as i said the quickest fix would be just to make sure you are not running lock 4j old versions of version 2 and update if you are okay so what else well um i'm going to also drop this link so just to just to show you how severe this is there's a list of vendors or components that have been vulnerable and verified and the nasty thing is that let's say here is apple if you have software that accepts some something from the user interface and that something might end up in the loggings through the log4j well it means you might be vulnerable to things like this so then people are able to inject uh executable code in inside your log4j i think one one that caught my eye was minecraft here so minecraft you can attack it through the chat if it's not updated so this this is rather severe vulnerabilities it's easy to exploit it one nasty thing is that minecraft is just not a single server there are servers here and they are all around the world and any any servers that are not patched any servers that have this particular version of log4j people might be attacking them as we are speaking right now through the chat so that's pretty nasty there is some python scripts available how you can measure if you are vulnerable and log4j library on apache page is also listing the vulnerability and and kind of talking about the fix as well so severe vulnerability affecting a lot of software right now so please kind of be aware of this you might have the dependency unfortunately even if even if you haven't included it specifically because if you're using maven like i often am there might be uh transitive dependencies so you might have declared the library that lists log4j two point something as a dependency and then you would be vulnerable with maven or gradle one fast way to fix this is just to raise the latest lock for j 2.15.0 as a top level dependency yourself so that would typically override any transitive dependencies and you would get the latest version available for yourself but just um security is kind of a rapid game these days so there might be a new vulnerability that is severe and it's then immediately actively exploited so you have to play this uh little little game you have to fix things immediately you have to first of all be aware of things like this and uh to be honest i'm suspecting that this vulnerability has been around for quite some time and it's probably been exploited as well for quite some time but it's very difficult to pick something if you don't know that it's or it's out there so now you are aware right now if you watch this video you know how severe this can be and you know how easily it can be attacked on any any software that puts anything that users might input in the logs okay and by the way some people have even been using this to to put these injections in the headers in the http headers so so it's not really user input but it's still easy to exploit okay so i hope this was interesting useful for you it is pretty severe i immediately checked any software that i'm even indirectly running anywhere for this just to make sure that i'm not running those uh vulnerable versions of log4j that's the minimum that's the least you can do right now okay well uh if you're watching this on sunday perhaps not right now depends on your security consciousness but at least put this as a very high priority at the top of backlog do it rather immediately and if you're running some hobby software or some experiment experiments of yourself it you can you can really fix it like right now okay thanks for watching and see you in the next video bye bye
Info
Channel: DevXplaining
Views: 21,317
Rating: undefined out of 5
Keywords: log4j in java, java, log4j, log4j exploit, log4j vulnerability, java exploit, security, cyber, cybersecurity, exploit, vulnerability, log4shell, zero-day, CVE-2021-44228
Id: ipWGcHeXCKw
Channel Id: undefined
Length: 6min 50sec (410 seconds)
Published: Sat Dec 11 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.