Hello, welcome to the Wednesday, December 29th, 2021 edition of the Sansonet Stormsendor's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

And well, I'm sorry about the year is ending with yet another log for J update, yet one more remote code execution vulnerability.

However, this one can only be exploited by actually modifying the logging configuration.

Rook-COS is again J-NDI or Gindi, and yes, the exploit pattern sort of is the same, but modifying the configuration

shouldn't be as easy and as common as some of the other flaws, so that's why I wouldn't

really assign it the same priority as you get from the prior vulnerabilities.

The latest version with this is Log 4J217.1.

That's for Java 8.

For Java 7, we're now up to 2.12.4.

And for Java 6, it's now 2.3.2.

And the fix here is essentially that by default, JNDI is disabled and the JDBC appender will only allow JNDI if the specific system property is set to true.

The CVE number for this vulnerability is 2021-44832,

and the CBSS score is 6.6.

And in Diaries today, we have a great one by Russ. He's introducing work done by the Adobe Security

Coordination Center and their Secure Intelligence Group, where they open-sourced some

machine learning classifiers for living off the land attacks. The problem is old, but in some ways

also very current in, for example, Renato talking

earlier this week about how MS-built is being used by attackers in attacks like this.

The work published by Adobe here does contain classifiers for, for example, shells and

ex-fill attempts and also coin miner.

So some of the more common attacks that you may be seeing, and the idea is that you

...