Log4Shell — The Single Biggest Security Vulnerability Ever?
NOTICE: This website is still under construction!
A few things don't work yet, and very many of the pages are incomplete. These will be edited and fixed up ASAP... See here for more about this.
Log4Shell is a recently disclosed security vulnerability in a popular piece of software used for generating log files (including logging error messages), written in Java, known as Log4j. It's affected countless computers around the world, many of them used by large companies such as Amazon, Apple, Twitter, Tesla, Cisco, Cloudflare, and several others — most notably, many of them are systems which provide cloud sevices.
Various security consultants have described Log4Shell in very extreme terms, such as "the single biggest, most critical vulnerability ever", "arguably the most severe vulnerability ever", and "a design failure of catastrophic proportions" (quotes from Wikipedia).
I'll update this page more later... Though it seems that large companies are most at threat from Log4Shell exploits. Presumably, those running servers which use the vulnerable Log4j framework.
Patches to close the security hole have been available since December 2021, with several different (and progressively improved) patches being released after it was discovered that an earlier patch did not fix the entire problem.
Despite the availability of patches, a large problem remains in that the sheer number of servers which have (or had) the vulnerable code on them are staggering — with estimates as high as that 93% of enterprise cloud systems were affected. Therefore, the amount of time required to patch all these systems is vast.
Coming Soon: I'll add more details about how Log4Shell works, and other information, soon...
To help with my Cybersecurity job search, I thought it would be interesting to see how much pentesting I can learn in a one-week period. I'll describe what I've done, starting from the basics. I'll...
This page describes setting up a CFML server using Lucee (compatible with Adobe ColdFusion CFML pages) on Amazon's AWS EC2 cloud computing service. I was looking for a way to host example/demo versions of some of...