In dealing with the
log4j problem, some links that turned up in searching or that others shared.
- Anchore’s grype scans container images, JAR files, etc for known-vulnerable versions of Java packages (among other things). They also have syft which generates software bill of materials (SBOM) reports. (Hat tip to the ACSC for pointing to the latter.)
- Google’s security team has published an interesting article assessing the breadth of
log4jusage in other packages, including the complexity of transitive dependencies: “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down).”
- This LGTM report suggests Apache log4j 2.17 might still have some JNDI things to check.
- Huntress log4j tester might be useful for quickly checking your own internet-facing systems.
- @nathanqthai at Grey Noise Intelligence has published examples of attempted exploitation of the log4j vulnerability in the wild
- AWS is apparently hotpatching their services, with coverage in this advisory
- CyberCX NZ has a useful article with suggestions for how to handle the remaining marathon on
CVE-2021-44228without burning people out.
Some other security resources:
- CVE Trends is a quick dashboard of which CVEs people are talking about on Twitter.
- CISA Crossfeed is an open source external VMS/attack surface enumerator.
- OWASP Amass is also for enumerating attack surface.
- Rapid7 Project Sonar is scanning the internet and making the data available here.
- Nuclei does non-invasive vulnerability testing.
- GoPhish is an open source phishing simulation system. CISA has some tools for working with it.
- This presentation is a useful intro to Velociraptor, an endpoint DFIR tool.
- Microsoft provides free, time-limited virtual machines containing Microsoft Windows and Edge/IE11 for testing.