meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, December 13th, 2021

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 13 December 2021

⏱️ 8 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Infocon Raised to Yellow for #Log4Shell / #Log4j2 Vulnerablity

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, December 13, 2021 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

0:14.2

Well, Friday, I guess I was lucky in the sense that I was able to get a log for J or log for Shell, as it's now called, into the podcast.

0:24.7

It's certainly kept us busy on Friday and over the weekend.

0:29.6

Monday at noon Eastern time will have a special live stream with Boyan and Mick in order to discuss some of the issues around

0:41.0

a log for Shell. So you have some time join in. And let me here just summarize a little bit

0:47.3

some of the things that we learned this weekend. So the vulnerability here is in the Log for J2 library and the issue is that this library

0:58.8

is used well for logging as the name implies, but it has the ability to actually sort of

1:05.0

expand certain JNDI strings that are being included in the logs, and this can lead to remote code execution.

1:14.5

It's triggered essentially by tricking log for J into logging specific string.

1:21.4

So in order to make an exploit work, you have to find some software that uses this library,

1:35.2

and then you have to find a way to feed a string to that software that is being logged via Log 4J.

1:43.6

And this process makes a little bit tricky to figure out which software exactly is vulnerable, which one is not vulnerable.

1:47.0

So Log 4J being included and used by the software is your first pointer that it's possibly vulnerable, but some software, for example, Elasticsearch,

1:55.6

has a special Java security manager included that limits what libraries like Log 4J are able to do.

2:03.2

So in this case, you are not vulnerable.

2:06.9

And for other software, like for example, the Embarrs V-Center, you are vulnerable,

2:11.7

but you have to find the right kind of way to expose V-Center to the exploit string, so it's actually

2:20.9

being logged by log 4J.

2:23.7

So a simple exploit as you have, so to see them around, may not work in this case.

2:29.2

The standard test that a lot of people are using is where they're using this JNDI string and then they're using

2:36.8

an LDAP command and a host name, and then they're looking for DNS lookups for the host name.

2:44.1

There have been some false positives here.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.