Скачать или смотреть Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)

📧 Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
📣 Follow me on Twitter: https://bbre.dev/tw


This video is an explanation of the recent RCE vulnerability in Log4j (CVE-2021-44228, CVE-2021-45046) that affect many Java applications across the whole Internet. Importantly, the initial fix deployed can also be bypassed so even those who patched may still be vulnerable.
From the video, you will learn what is log4j vulnerability is, how to create a log4j exploit to check if your Java app is vulnerable and how to fix the vulnerability before the bad guys detect it.

✉️ Sign up for my newsletter✉️
https://mailing.bugbountyexplained.com/

Log4j lookups: https://logging.apache.org/log4j/2.x/...
Official recommendations: https://logging.apache.org/log4j/2.x/...
Tool used: https://github.com/welk1n/JNDI-Inject...
List of affected companies: https://github.com/cisagov/log4j-affe...
Sources:
https://www.lunasec.io/docs/blog/log4...
  / 1471740771581652995  

🖥 Get $100 in credits for Digital Ocean 🖥
https://m.do.co/c/cc700f81d215

Follow me on twitter:
  / gregxsunday  

Timestamps:
00:00 Intro
00:29 What are JNDI lookups in Log4j?
01:45 Base version of the attack
03:00 The fix for Log4j 2.x before 2.10
03:19 Why fix for versions 2.10 before 2.15 is not working (CVE-2021-45046)
06:09 The fixes and bypasses for Log4j 2.15 (CVE-2021-45046)
08:11 What about version 2.16? (CVE-2021-45105)
08:41 Detecting the vulnerability
10:45 Reproducing the Log4j RCE
12:07 Attacking servers that are firewalled-off

#Log4j