Quick Overview
The gravest cyber threat of modern times is upon us in the form of CVE-2021-44228. Here are some key resources:
- CVE-2021-44228: Apache Log4j <=2.14.1 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
- Severity: Critical
- Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Versions Affected: all versions from 2.0-beta9 to 2.14.1
- Apache Security Advisory
- Digging deeper into Log4Shell
- Which services, vendors, and components are affected?
- A huge number of exploits and variations of payloads are reported, Cloudflare is tracking it here.
How to Protect Your Organization: Measure Your Exposure and Enumerate Attack Paths
In order to quickly find and prioritize how at risk you are of a Log4j 2 exploit, you can focus on enumerating the virtual machines and pods which are directly and indirectly exposed to the internet. We used ThreatMapper to detect our own exposure caused by Elasticsearch (which has since been fixed) as follows. Dogfooding much!