Hackers vs. Developers // CVE-2021-44228 Log4Shell

2021-12-17

[public] 35.6K views, 12.6K likes, dislikes audio only

Let's try to make sense of the Log4j vulnerability called Log4Shell. First we look at the Log4j features and JNDI, and then we explore the history of the recent log4shell vulnerability. This is part 1 of a two part series into log4j.

Log4j Issues:

2013: https://issues.apache.org/jira/browse/LOG4J2-313

2014: https://issues.apache.org/jira/browse/LOG4J2-905

2017: https://issues.apache.org/jira/browse/LOG4J2-2109

Log4j 2 Security: https://logging.apache.org/log4j/2.x/security.html

German Government Warning: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3

Cloudflare: https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/

A JOURNEY FROM JNDI/LDAP

MANIPULATION TO REMOTE CODE

EXECUTION DREAM LAND: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

whitepaper: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf

---

00:00 - Intro

01:05 - BugBounty Public Service Announcement

02:23 - Chapter #1: Log4j 2

03:38 - Log4j Lookups

04:15 - Chapter #2: JNDI

06:01 - JNDI vs. Log4j

06:35 - Chapter #3: Log4Shell Timeline

07:33 - Developer Experiences Unexpected Lookups

09:51 - The Discovery of Log4Shell in 2021

11:08 - Chapter #4: The 2016 JNDI Security Research

11:56 - Java Serialized Object Features

13:27 - Why Was The Security Research Ignored?

14:44 - Chapter #5: Security Research vs. Software Engineering

16:49 - Final Words and Outlook to Part 2

17:23 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/

→ Instagram: https://instagram.com/LiveOverflow/

→ Blog: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/

Does Hacking Require Programming Skills? by LiveOverflow
/youtube/video/wv2YhT89LDU

Intro
/youtube/video/w2F67LbEtnk?t=0

BugBounty Public Service Announcement
/youtube/video/w2F67LbEtnk?t=65

Chapter #1: Log4j 2
/youtube/video/w2F67LbEtnk?t=143

Log4j Lookups
/youtube/video/w2F67LbEtnk?t=218

Chapter #2: JNDI
/youtube/video/w2F67LbEtnk?t=255

JNDI vs. Log4j
/youtube/video/w2F67LbEtnk?t=361

Chapter #3: Log4Shell Timeline
/youtube/video/w2F67LbEtnk?t=395

Developer Experiences Unexpected Lookups
/youtube/video/w2F67LbEtnk?t=453

The Discovery of Log4Shell in 2021
/youtube/video/w2F67LbEtnk?t=591

Chapter #4: The 2016 JNDI Security Research
/youtube/video/w2F67LbEtnk?t=668

Java Serialized Object Features
/youtube/video/w2F67LbEtnk?t=716

Why Was The Security Research Ignored?
/youtube/video/w2F67LbEtnk?t=807

Chapter #5: Security Research vs. Software Engineering
/youtube/video/w2F67LbEtnk?t=884

Final Words and Outlook to Part 2
/youtube/video/w2F67LbEtnk?t=1009

Outro
/youtube/video/w2F67LbEtnk?t=1043

I’m moving, no videos sorry 17,441 views
/youtube/video/9CS3q0uG1LI

Support liveoverflow.com
https://liveoverflow.com/support

How SUDO on Linux was HACKED! // CVE-2021-3156 178,939 views
/youtube/video/TLa2VqcGGEQ