In dealing with the log4j problem, some links that turned up in searching or that others shared.

  • Anchore’s grype scans container images, JAR files, etc for known-vulnerable versions of Java packages (among other things). They also have syft which generates software bill of materials (SBOM) reports. (Hat tip to the ACSC for pointing to the latter.)
  • Google’s security team has published an interesting article assessing the breadth of log4j usage in other packages, including the complexity of transitive dependencies: “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down).”
  • This LGTM report suggests Apache log4j 2.17 might still have some JNDI things to check.
  • Huntress log4j tester might be useful for quickly checking your own internet-facing systems.
  • @nathanqthai at Grey Noise Intelligence has published examples of attempted exploitation of the log4j vulnerability in the wild
  • AWS is apparently hotpatching their services, with coverage in this advisory
  • CyberCX NZ has a useful article with suggestions for how to handle the remaining marathon on CVE-2021-44228 without burning people out.

Some other security resources: