Log4Shell Security Exploit Deep Dive (Using Spring Boot and Maven application example)

The Log4Shell exploit, also known as CVE-2021-44228, is a nasty new exploit that affects a lot of software running Java around the world. This security vulnerability makes it possible for attackers to execute their code in your machine if you are vulnerable. I recently did a video where I went through the basics of what this is, but a deep dive was requested, so a deep dive you shall get.

In this video, I'll grab a vulnerable Spring Boot application, show you how you can see if it's vulnerable, and more importantly, how to fix it. I'll also run the actual exploit against my server, to test what actually fixes things, and what does not work. Join me if you want to understand more, or learn ways to keep safe.

Timecodes:
0:00 - Introduction
0:48 - How to know if you're vulnerable?
4:30 - Figuring out transitive dependencies (Maven, VSCode example)
7:30 - What's the exploit and how to test for it?
12:44 - How to make your code safe? What are your options?
20:56 - Conclusion and final thoughts


Here are the links in the video:
- https://www.youtube.com/watch?v=ipWGcHeXCKw
- https://nvd.nist.gov/vuln/CVE-2021-44228
- https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
- https://github.com/christophetd/log4shell-vulnerable-app
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/


NOTE: Things move fast so some updates to this video (or watch my more recent ones):
- As I suspected, more vulnerabilities have been discovered since the original one
- Log4j 2.15.0 is not good enough, update to 2.17.0 or later, when they become available
- Command-line parameters do not fully protect you, so tricks like log4j2.formatMsgNoLookups and remote execution toggles are not enough to give full protection
- Read more from here, under "Older (discredited) mitigation measures": https://logging.apache.org/log4j/2.x/security.html