log4j vulnerability links, plus some interesting tools

In dealing with the log4j problem, some links that turned up in searching or that others shared.

• Anchore’s grype scans container images, JAR files, etc for known-vulnerable versions of Java packages (among other things). They also have syft which generates software bill of materials (SBOM) reports. (Hat tip to the ACSC for pointing to the latter.)
• Google’s security team has published an interesting article assessing the breadth of log4j usage in other packages, including the complexity of transitive dependencies: “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down).”
• This LGTM report suggests Apache log4j 2.17 might still have some JNDI things to check.
• Huntress log4j tester might be useful for quickly checking your own internet-facing systems.
• @nathanqthai at Grey Noise Intelligence has published examples of attempted exploitation of the log4j vulnerability in the wild
• AWS is apparently hotpatching their services, with coverage in this advisory
• CyberCX NZ has a useful article with suggestions for how to handle the remaining marathon on CVE-2021-44228 without burning people out.

Some other security resources:

• CVE Trends is a quick dashboard of which CVEs people are talking about on Twitter.
• CISA Crossfeed is an open source external VMS/attack surface enumerator.
• OWASP Amass is also for enumerating attack surface.
• Rapid7 Project Sonar is scanning the internet and making the data available here.
• Nuclei does non-invasive vulnerability testing.
• GoPhish is an open source phishing simulation system. CISA has some tools for working with it.
• This presentation is a useful intro to Velociraptor, an endpoint DFIR tool.
• Microsoft provides free, time-limited virtual machines containing Microsoft Windows and Edge/IE11 for testing.