Google 提供掃描 JAR 檔內是否有中獎的 Log4j 的工具
source link: https://blog.gslin.org/archives/2022/01/02/10487/google-%e6%8f%90%e4%be%9b%e6%8e%83%e6%8f%8f-jar-%e6%aa%94%e5%85%a7%e6%98%af%e5%90%a6%e6%9c%89%e4%b8%ad%e7%8d%8e%e7%9a%84-log4j-%e7%9a%84%e5%b7%a5%e5%85%b7/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Google 提供掃描 JAR 檔內是否有中獎的 Log4j 的工具
在 Hacker News 首頁上看到 Google 提供了一套用 Golang 寫的工具,可以掃描 JAR 檔裡面是否有中獎的 Log4j:「log4jscanner」,對應的討論在「Log4jscanner (github.com/google)」這邊。
看起來是內部工具,放出來前先把 vcs history 清掉了:
We unfortunately had to squash the history when open sourcing. The following contributors were instrumental in this project's development: [...]
另外討論裡也有人提到「OWASP Dependency-Check」這個工具也可以掃,這套就更一般性了:
Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST.
Related
受到 Log4j2 影響的清單
最近大家都在忙著補 Log4j2 的安全漏洞 (先前在「Log4j2 的 RCE」這邊有提到),有人整理了目前受到影響的軟體的清單以及對應的討論連結:「Log4Shell log4j vulnerability (CVE-2021-44228) - cheat-sheet reference guide」。 用這包來翻起來會方便一些,另外也可以順便翻一下有什麼其他軟體中獎... 然後 Cloudflare 的 CEO Matthew Prince 在 Twitter 上有提到從他們家的資料看起來,2021/12/01 就已經有攻擊在外面跑了,這也是之前會說這是 0-day 的原因: Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days…
December 14, 2021In "Computer"
Log4j2 的 RCE
昨天爆出來 Log4j2 的 RCE,看了一下 pattern,只要是 Java stack 應該都很容易中獎:「Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package」,Hacker News 上對應的討論在「Log4j RCE Found (lunasec.io)」這邊可以看。 LunaSec 宣稱這是 0-day RCE,不過 Log4j2 的修正版本 2.15.0 在 2021/12/06 出了,而 exploit 被丟出來是 2021/12/09,但不確定在這之前是不是已經有 exploit 在 internet 上飛來飛去了... 丟出來的 exploit sample (CVE-2021-44228-Apache-Log4j-Rce) 是用 LDAP 來打,雖然大多數的 Java 版本不受影響,但還是有其他的面可以攻擊,所以整體上還是很容易打穿,該升級的還是得趕快升級:…
December 11, 2021In "Computer"
Zoom 的浮水印功能
在 Hacker News Daily 上看到 The Intercept 介紹了 Zoom 的浮水印功能,以及如果你要洩密的話要如何自保:「What You Should Know Before Leaking a Zoom Meeting」。這篇文章主要不是談 Zoom 之前被討論的那些問題,而就 Zoom 的浮水印功能來討論。 Zoom 支援 video watchmark 與 audio watchmark: 依照描述的兩個方式,看起來都不難破,但主要是要提醒記者,如果要放出線人提供的 Zoom 錄音或是錄影,要注意到裡面是否有 watchmark 導致線人的資訊被洩漏: Journalists should also be wary of publishing raw audio leaked from Zoom meetings, particularly if the…
January 22, 2021In "Computer"
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)
Post navigation
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK