-
-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mitigation edits forrest #295
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
freeqaz
approved these changes
Dec 13, 2021
factoidforrest
added a commit
that referenced
this pull request
Dec 21, 2021
* improve lunasec plug * improve iphone words * clean up the secondary attack vector explanation * a word * update docusaurus to fix blogs and fix the awful looking admonition from beta 12 * clearer warning about dnslog.cn * remove sentence saying there was no stable release, no longer relevant * Better CTAs on the page * Add social info * Remove random stuff * Fix example to use log4j2 pedantry: make the example code actually valid log4j2 use, not log4j 1.x * make demo backend use pm2 * Update 2021-12-09-log4j-zero-day.md * Slightly improve example code * log4j download page (#269) Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github. * update yarn.lock * Regenerate lockfile, fix CLI arguments for hosted demo * Disable Nginx volume * Fix a yarn error * Fix yarn.lock * Remove extraneous workdir statement * Uncomment nginx * Remove second build step from demo back end build * Revert build change * no fork pm2 * switch to pm2-runtime * change nolookups compatibility The `nolookups` work-around mentioned only works on versions >= 2.7. Fixes #274. * Update log4j post title * Add log4shell CLI tool * Fix bad path * Fix entrypoint for package * Change version to beta * Fix script to work with both a specific path or in the current folder * WIP blog post * Bump version * make hash downloading automatic even if not using NPM * also find war files * move log4shell to tools * improve DNS test paragraph * Update 2021-12-09-log4j-zero-day.md * more small post edits like date, forrest as an author * get date out of title because title too long and date updated properly now * log4shell scanning cli initial commit * Enabled options for printing out json for parsing results. * Add option to write outputs to a file. * update binary name to log4shell * Write up the rest of the blog post * when scanning archives, scan nested ones * Wrap up the Log4Shell Mitigation Guide doc * More post cleanup * More post cleanup * Fix Master CI * Fix grammar in mitigation guide * Fix bad link in blog post * Fix typo * blog edits to header example * Add social links and update main Readme * Remove thank you line * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits * Mitigation edits forrest (#295) * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits Co-authored-by: Free Wortley <free@lunasec.io> * Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work. * fix package mistake * mention log4j 2.16 * add contact form, what a doozy * remove bad dep and eslint ignore something * add mui types * verbose start in CI * yarn install * made bucket script wait for file and brought back the use of a precache container * switch cli workdir to repo * Hotpatching works when being tested locally again vulnerable spring server. * Fix renamed directory * add warnings about 2.15 and flag * better warning * fix typo and add CVE name * more CVE mentions * Update 2021-12-09-log4j-zero-day.md * Update 2021-12-09-log4j-zero-day.md * fix english (#304) * Add new blog post on 2nd log4j vulnerability * update Log4ShellHotpatch * Add updated dates * Add disclaimer about log format still being vulnerable * Add disclaimer about log format still being vulnerable * Added post content for follow up CVE under certain circumstances * Update times in doc * Scanner finds 2.15 (#305) * first draft of adding severity rating to vulns * duplicate flags onto scan command because its more natural UX * added 2.15 hashes and confirmed they work * Update vulnerablehashes.go * Update vulnerablehashes.go * Severity 9.8 for log4j v1 vulns * Swap from Severity to CVE * put severity back in Co-authored-by: Johnathan Free Wortley <free@lunasec.io> * Cleanup content * update some wording in the blog post * blog mentions hot patch cli * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Change links to the generic Releases page * print payload string from CLI * prettier output * bump version * make goreleaser just do binaries * added more options to the hotpatch server and added a landing page * update hotpatch server to have more descriptive text * Update Patch section with new notes * Update timestamps * Wordsmithing * add live patch blog post * Fix image links to be persistent * Fix image link for bad image also * Fix bad image links by using MDX syntax instead * change dependency to not panic * bump version of log4shell cli * add docker-compose and update readme with some commands * update blog posts * Blog post updates * Fix formatting * Tweaks * fix typo * scan library before browsing it * Fix some typos * Better phrasing * feat: scan into zip archives in addition to jar+war * script for downloading all log4j versions * try again in CI * add payload url to the print out in the cli * update blog post to fix changes suggested in issues * CLI UX improvements and more legalish warnings * use webarchive to reference zero day tweet * increase max mocked s3 body size in nginx for live demo * fix nginx args * Basic technical analysis of the Log4Shell exploit * pull all maven and apache versions of log4j * update blog to include java decomp * log4shell and 2.15.0 cves are distinct in findings now * bump version * add zip and ear extensions to allow deep scans * include 1.2.17 in scanning log4j1 * bump version * bump cli version to 1.3.2 * warning about virus scanners in blog post * resolve symlinks while scanning * switch all logs to stdout and prettier formatting for scan results * Add links back to other posts * slightly better log level printing * Add links to other blog posts and update phrasing * update CTA size * Add FUNDING.yml file for GitHub Sponsors * Update README.md * add manual releasing instructions * fix false positive for 2.16.0 and 2.15.0 * analyzer has better semver version checking * improve log colors * version change is more than a patch, version should reflect this * global flags are recognized by the cli if they have a name collision in a subcommand * create blog post discussing follow up issues for cve * add --no-follow-symlinks * increase severity of cve-2021-45046 finding * add details about the latest updates about the log4shell cves * update date * Fix bug in the new CVSS post * One more change * Add bypass payload to post * Fix bad date * Update issue templates * broken symlinks no longer stop scanning * bump version * WIP OSS patching blog post (#348) * WIP OSS patching blog post * small post edits * oss patching blog post drafted * update date and truncate * get license out of PR template and add to ignore file * explain more why people need to know to security patch * update intro wording * edits to include githubs tooling * more credit to google * nits * change a link Co-authored-by: breadchris <chris@lunasec.io> * typo 'and' should be 'an' * update guidance to use 2.17.0 * Update guidance across all posts * better osx instructions * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update the malicious links to be our domain everywhere * close read which is left open * fix admonitions * yarn stuff * include more install steps in the precache * stop demo back end from starting prematurely * delete &&, it wasnt needed * rename integration test workflow to just test Co-authored-by: Forrest <forrest@lunasec.io> Co-authored-by: Stu Tomlinson <stu@nosnilmot.com> Co-authored-by: Moya <moya@asofterspace.com> Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com> Co-authored-by: Thompson, Brian <foss.systems@icloud.com> Co-authored-by: breadchris <chris@lunasec.io> Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi> Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com> Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com> Co-authored-by: Alex Collignon <colligno@adobe.com> Co-authored-by: Forrest <light24bulbs@gmail.com> Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot
pushed a commit
that referenced
this pull request
Dec 16, 2022
* improve lunasec plug * improve iphone words * clean up the secondary attack vector explanation * a word * update docusaurus to fix blogs and fix the awful looking admonition from beta 12 * clearer warning about dnslog.cn * remove sentence saying there was no stable release, no longer relevant * Better CTAs on the page * Add social info * Remove random stuff * Fix example to use log4j2 pedantry: make the example code actually valid log4j2 use, not log4j 1.x * make demo backend use pm2 * Update 2021-12-09-log4j-zero-day.md * Slightly improve example code * log4j download page (#269) Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github. * update yarn.lock * Regenerate lockfile, fix CLI arguments for hosted demo * Disable Nginx volume * Fix a yarn error * Fix yarn.lock * Remove extraneous workdir statement * Uncomment nginx * Remove second build step from demo back end build * Revert build change * no fork pm2 * switch to pm2-runtime * change nolookups compatibility The `nolookups` work-around mentioned only works on versions >= 2.7. Fixes #274. * Update log4j post title * Add log4shell CLI tool * Fix bad path * Fix entrypoint for package * Change version to beta * Fix script to work with both a specific path or in the current folder * WIP blog post * Bump version * make hash downloading automatic even if not using NPM * also find war files * move log4shell to tools * improve DNS test paragraph * Update 2021-12-09-log4j-zero-day.md * more small post edits like date, forrest as an author * get date out of title because title too long and date updated properly now * log4shell scanning cli initial commit * Enabled options for printing out json for parsing results. * Add option to write outputs to a file. * update binary name to log4shell * Write up the rest of the blog post * when scanning archives, scan nested ones * Wrap up the Log4Shell Mitigation Guide doc * More post cleanup * More post cleanup * Fix Master CI * Fix grammar in mitigation guide * Fix bad link in blog post * Fix typo * blog edits to header example * Add social links and update main Readme * Remove thank you line * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits * Mitigation edits forrest (#295) * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits Co-authored-by: Free Wortley <free@lunasec.io> * Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work. * fix package mistake * mention log4j 2.16 * add contact form, what a doozy * remove bad dep and eslint ignore something * add mui types * verbose start in CI * yarn install * made bucket script wait for file and brought back the use of a precache container * switch cli workdir to repo * Hotpatching works when being tested locally again vulnerable spring server. * Fix renamed directory * add warnings about 2.15 and flag * better warning * fix typo and add CVE name * more CVE mentions * Update 2021-12-09-log4j-zero-day.md * Update 2021-12-09-log4j-zero-day.md * fix english (#304) * Add new blog post on 2nd log4j vulnerability * update Log4ShellHotpatch * Add updated dates * Add disclaimer about log format still being vulnerable * Add disclaimer about log format still being vulnerable * Added post content for follow up CVE under certain circumstances * Update times in doc * Scanner finds 2.15 (#305) * first draft of adding severity rating to vulns * duplicate flags onto scan command because its more natural UX * added 2.15 hashes and confirmed they work * Update vulnerablehashes.go * Update vulnerablehashes.go * Severity 9.8 for log4j v1 vulns * Swap from Severity to CVE * put severity back in Co-authored-by: Johnathan Free Wortley <free@lunasec.io> * Cleanup content * update some wording in the blog post * blog mentions hot patch cli * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Change links to the generic Releases page * print payload string from CLI * prettier output * bump version * make goreleaser just do binaries * added more options to the hotpatch server and added a landing page * update hotpatch server to have more descriptive text * Update Patch section with new notes * Update timestamps * Wordsmithing * add live patch blog post * Fix image links to be persistent * Fix image link for bad image also * Fix bad image links by using MDX syntax instead * change dependency to not panic * bump version of log4shell cli * add docker-compose and update readme with some commands * update blog posts * Blog post updates * Fix formatting * Tweaks * fix typo * scan library before browsing it * Fix some typos * Better phrasing * feat: scan into zip archives in addition to jar+war * script for downloading all log4j versions * try again in CI * add payload url to the print out in the cli * update blog post to fix changes suggested in issues * CLI UX improvements and more legalish warnings * use webarchive to reference zero day tweet * increase max mocked s3 body size in nginx for live demo * fix nginx args * Basic technical analysis of the Log4Shell exploit * pull all maven and apache versions of log4j * update blog to include java decomp * log4shell and 2.15.0 cves are distinct in findings now * bump version * add zip and ear extensions to allow deep scans * include 1.2.17 in scanning log4j1 * bump version * bump cli version to 1.3.2 * warning about virus scanners in blog post * resolve symlinks while scanning * switch all logs to stdout and prettier formatting for scan results * Add links back to other posts * slightly better log level printing * Add links to other blog posts and update phrasing * update CTA size * Add FUNDING.yml file for GitHub Sponsors * Update README.md * add manual releasing instructions * fix false positive for 2.16.0 and 2.15.0 * analyzer has better semver version checking * improve log colors * version change is more than a patch, version should reflect this * global flags are recognized by the cli if they have a name collision in a subcommand * create blog post discussing follow up issues for cve * add --no-follow-symlinks * increase severity of cve-2021-45046 finding * add details about the latest updates about the log4shell cves * update date * Fix bug in the new CVSS post * One more change * Add bypass payload to post * Fix bad date * Update issue templates * broken symlinks no longer stop scanning * bump version * WIP OSS patching blog post (#348) * WIP OSS patching blog post * small post edits * oss patching blog post drafted * update date and truncate * get license out of PR template and add to ignore file * explain more why people need to know to security patch * update intro wording * edits to include githubs tooling * more credit to google * nits * change a link Co-authored-by: breadchris <chris@lunasec.io> * typo 'and' should be 'an' * update guidance to use 2.17.0 * Update guidance across all posts * better osx instructions * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update the malicious links to be our domain everywhere * close read which is left open * fix admonitions * yarn stuff * include more install steps in the precache * stop demo back end from starting prematurely * delete &&, it wasnt needed * rename integration test workflow to just test Co-authored-by: Forrest <forrest@lunasec.io> Co-authored-by: Stu Tomlinson <stu@nosnilmot.com> Co-authored-by: Moya <moya@asofterspace.com> Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com> Co-authored-by: Thompson, Brian <foss.systems@icloud.com> Co-authored-by: breadchris <chris@lunasec.io> Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi> Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com> Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com> Co-authored-by: Alex Collignon <colligno@adobe.com> Co-authored-by: Forrest <light24bulbs@gmail.com> Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot
pushed a commit
that referenced
this pull request
Dec 17, 2022
* improve lunasec plug * improve iphone words * clean up the secondary attack vector explanation * a word * update docusaurus to fix blogs and fix the awful looking admonition from beta 12 * clearer warning about dnslog.cn * remove sentence saying there was no stable release, no longer relevant * Better CTAs on the page * Add social info * Remove random stuff * Fix example to use log4j2 pedantry: make the example code actually valid log4j2 use, not log4j 1.x * make demo backend use pm2 * Update 2021-12-09-log4j-zero-day.md * Slightly improve example code * log4j download page (#269) Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github. * update yarn.lock * Regenerate lockfile, fix CLI arguments for hosted demo * Disable Nginx volume * Fix a yarn error * Fix yarn.lock * Remove extraneous workdir statement * Uncomment nginx * Remove second build step from demo back end build * Revert build change * no fork pm2 * switch to pm2-runtime * change nolookups compatibility The `nolookups` work-around mentioned only works on versions >= 2.7. Fixes #274. * Update log4j post title * Add log4shell CLI tool * Fix bad path * Fix entrypoint for package * Change version to beta * Fix script to work with both a specific path or in the current folder * WIP blog post * Bump version * make hash downloading automatic even if not using NPM * also find war files * move log4shell to tools * improve DNS test paragraph * Update 2021-12-09-log4j-zero-day.md * more small post edits like date, forrest as an author * get date out of title because title too long and date updated properly now * log4shell scanning cli initial commit * Enabled options for printing out json for parsing results. * Add option to write outputs to a file. * update binary name to log4shell * Write up the rest of the blog post * when scanning archives, scan nested ones * Wrap up the Log4Shell Mitigation Guide doc * More post cleanup * More post cleanup * Fix Master CI * Fix grammar in mitigation guide * Fix bad link in blog post * Fix typo * blog edits to header example * Add social links and update main Readme * Remove thank you line * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits * Mitigation edits forrest (#295) * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits Co-authored-by: Free Wortley <free@lunasec.io> * Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work. * fix package mistake * mention log4j 2.16 * add contact form, what a doozy * remove bad dep and eslint ignore something * add mui types * verbose start in CI * yarn install * made bucket script wait for file and brought back the use of a precache container * switch cli workdir to repo * Hotpatching works when being tested locally again vulnerable spring server. * Fix renamed directory * add warnings about 2.15 and flag * better warning * fix typo and add CVE name * more CVE mentions * Update 2021-12-09-log4j-zero-day.md * Update 2021-12-09-log4j-zero-day.md * fix english (#304) * Add new blog post on 2nd log4j vulnerability * update Log4ShellHotpatch * Add updated dates * Add disclaimer about log format still being vulnerable * Add disclaimer about log format still being vulnerable * Added post content for follow up CVE under certain circumstances * Update times in doc * Scanner finds 2.15 (#305) * first draft of adding severity rating to vulns * duplicate flags onto scan command because its more natural UX * added 2.15 hashes and confirmed they work * Update vulnerablehashes.go * Update vulnerablehashes.go * Severity 9.8 for log4j v1 vulns * Swap from Severity to CVE * put severity back in Co-authored-by: Johnathan Free Wortley <free@lunasec.io> * Cleanup content * update some wording in the blog post * blog mentions hot patch cli * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Change links to the generic Releases page * print payload string from CLI * prettier output * bump version * make goreleaser just do binaries * added more options to the hotpatch server and added a landing page * update hotpatch server to have more descriptive text * Update Patch section with new notes * Update timestamps * Wordsmithing * add live patch blog post * Fix image links to be persistent * Fix image link for bad image also * Fix bad image links by using MDX syntax instead * change dependency to not panic * bump version of log4shell cli * add docker-compose and update readme with some commands * update blog posts * Blog post updates * Fix formatting * Tweaks * fix typo * scan library before browsing it * Fix some typos * Better phrasing * feat: scan into zip archives in addition to jar+war * script for downloading all log4j versions * try again in CI * add payload url to the print out in the cli * update blog post to fix changes suggested in issues * CLI UX improvements and more legalish warnings * use webarchive to reference zero day tweet * increase max mocked s3 body size in nginx for live demo * fix nginx args * Basic technical analysis of the Log4Shell exploit * pull all maven and apache versions of log4j * update blog to include java decomp * log4shell and 2.15.0 cves are distinct in findings now * bump version * add zip and ear extensions to allow deep scans * include 1.2.17 in scanning log4j1 * bump version * bump cli version to 1.3.2 * warning about virus scanners in blog post * resolve symlinks while scanning * switch all logs to stdout and prettier formatting for scan results * Add links back to other posts * slightly better log level printing * Add links to other blog posts and update phrasing * update CTA size * Add FUNDING.yml file for GitHub Sponsors * Update README.md * add manual releasing instructions * fix false positive for 2.16.0 and 2.15.0 * analyzer has better semver version checking * improve log colors * version change is more than a patch, version should reflect this * global flags are recognized by the cli if they have a name collision in a subcommand * create blog post discussing follow up issues for cve * add --no-follow-symlinks * increase severity of cve-2021-45046 finding * add details about the latest updates about the log4shell cves * update date * Fix bug in the new CVSS post * One more change * Add bypass payload to post * Fix bad date * Update issue templates * broken symlinks no longer stop scanning * bump version * WIP OSS patching blog post (#348) * WIP OSS patching blog post * small post edits * oss patching blog post drafted * update date and truncate * get license out of PR template and add to ignore file * explain more why people need to know to security patch * update intro wording * edits to include githubs tooling * more credit to google * nits * change a link Co-authored-by: breadchris <chris@lunasec.io> * typo 'and' should be 'an' * update guidance to use 2.17.0 * Update guidance across all posts * better osx instructions * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update the malicious links to be our domain everywhere * close read which is left open * fix admonitions * yarn stuff * include more install steps in the precache * stop demo back end from starting prematurely * delete &&, it wasnt needed * rename integration test workflow to just test Co-authored-by: Forrest <forrest@lunasec.io> Co-authored-by: Stu Tomlinson <stu@nosnilmot.com> Co-authored-by: Moya <moya@asofterspace.com> Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com> Co-authored-by: Thompson, Brian <foss.systems@icloud.com> Co-authored-by: breadchris <chris@lunasec.io> Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi> Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com> Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com> Co-authored-by: Alex Collignon <colligno@adobe.com> Co-authored-by: Forrest <light24bulbs@gmail.com> Co-authored-by: Tobi Lehman <mail@tobilehman.com>
ajvpot
pushed a commit
that referenced
this pull request
Dec 17, 2022
* improve lunasec plug * improve iphone words * clean up the secondary attack vector explanation * a word * update docusaurus to fix blogs and fix the awful looking admonition from beta 12 * clearer warning about dnslog.cn * remove sentence saying there was no stable release, no longer relevant * Better CTAs on the page * Add social info * Remove random stuff * Fix example to use log4j2 pedantry: make the example code actually valid log4j2 use, not log4j 1.x * make demo backend use pm2 * Update 2021-12-09-log4j-zero-day.md * Slightly improve example code * log4j download page (#269) Apache projects' primary approach to releases is to provide downloads via the apache project web sites - not via github. * update yarn.lock * Regenerate lockfile, fix CLI arguments for hosted demo * Disable Nginx volume * Fix a yarn error * Fix yarn.lock * Remove extraneous workdir statement * Uncomment nginx * Remove second build step from demo back end build * Revert build change * no fork pm2 * switch to pm2-runtime * change nolookups compatibility The `nolookups` work-around mentioned only works on versions >= 2.7. Fixes #274. * Update log4j post title * Add log4shell CLI tool * Fix bad path * Fix entrypoint for package * Change version to beta * Fix script to work with both a specific path or in the current folder * WIP blog post * Bump version * make hash downloading automatic even if not using NPM * also find war files * move log4shell to tools * improve DNS test paragraph * Update 2021-12-09-log4j-zero-day.md * more small post edits like date, forrest as an author * get date out of title because title too long and date updated properly now * log4shell scanning cli initial commit * Enabled options for printing out json for parsing results. * Add option to write outputs to a file. * update binary name to log4shell * Write up the rest of the blog post * when scanning archives, scan nested ones * Wrap up the Log4Shell Mitigation Guide doc * More post cleanup * More post cleanup * Fix Master CI * Fix grammar in mitigation guide * Fix bad link in blog post * Fix typo * blog edits to header example * Add social links and update main Readme * Remove thank you line * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits * Mitigation edits forrest (#295) * big mitigation edits * Add CVE number back to first line of text for SEO * Content reworking * Add log4j to first sentence * few tiny edits * small edits linking two blog posts together and other nits Co-authored-by: Free Wortley <free@lunasec.io> * Adding command for running log4shell hotpatch server. The command brings up the servers, but they currently do not work. * fix package mistake * mention log4j 2.16 * add contact form, what a doozy * remove bad dep and eslint ignore something * add mui types * verbose start in CI * yarn install * made bucket script wait for file and brought back the use of a precache container * switch cli workdir to repo * Hotpatching works when being tested locally again vulnerable spring server. * Fix renamed directory * add warnings about 2.15 and flag * better warning * fix typo and add CVE name * more CVE mentions * Update 2021-12-09-log4j-zero-day.md * Update 2021-12-09-log4j-zero-day.md * fix english (#304) * Add new blog post on 2nd log4j vulnerability * update Log4ShellHotpatch * Add updated dates * Add disclaimer about log format still being vulnerable * Add disclaimer about log format still being vulnerable * Added post content for follow up CVE under certain circumstances * Update times in doc * Scanner finds 2.15 (#305) * first draft of adding severity rating to vulns * duplicate flags onto scan command because its more natural UX * added 2.15 hashes and confirmed they work * Update vulnerablehashes.go * Update vulnerablehashes.go * Severity 9.8 for log4j v1 vulns * Swap from Severity to CVE * put severity back in Co-authored-by: Johnathan Free Wortley <free@lunasec.io> * Cleanup content * update some wording in the blog post * blog mentions hot patch cli * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Change links to the generic Releases page * print payload string from CLI * prettier output * bump version * make goreleaser just do binaries * added more options to the hotpatch server and added a landing page * update hotpatch server to have more descriptive text * Update Patch section with new notes * Update timestamps * Wordsmithing * add live patch blog post * Fix image links to be persistent * Fix image link for bad image also * Fix bad image links by using MDX syntax instead * change dependency to not panic * bump version of log4shell cli * add docker-compose and update readme with some commands * update blog posts * Blog post updates * Fix formatting * Tweaks * fix typo * scan library before browsing it * Fix some typos * Better phrasing * feat: scan into zip archives in addition to jar+war * script for downloading all log4j versions * try again in CI * add payload url to the print out in the cli * update blog post to fix changes suggested in issues * CLI UX improvements and more legalish warnings * use webarchive to reference zero day tweet * increase max mocked s3 body size in nginx for live demo * fix nginx args * Basic technical analysis of the Log4Shell exploit * pull all maven and apache versions of log4j * update blog to include java decomp * log4shell and 2.15.0 cves are distinct in findings now * bump version * add zip and ear extensions to allow deep scans * include 1.2.17 in scanning log4j1 * bump version * bump cli version to 1.3.2 * warning about virus scanners in blog post * resolve symlinks while scanning * switch all logs to stdout and prettier formatting for scan results * Add links back to other posts * slightly better log level printing * Add links to other blog posts and update phrasing * update CTA size * Add FUNDING.yml file for GitHub Sponsors * Update README.md * add manual releasing instructions * fix false positive for 2.16.0 and 2.15.0 * analyzer has better semver version checking * improve log colors * version change is more than a patch, version should reflect this * global flags are recognized by the cli if they have a name collision in a subcommand * create blog post discussing follow up issues for cve * add --no-follow-symlinks * increase severity of cve-2021-45046 finding * add details about the latest updates about the log4shell cves * update date * Fix bug in the new CVSS post * One more change * Add bypass payload to post * Fix bad date * Update issue templates * broken symlinks no longer stop scanning * bump version * WIP OSS patching blog post (#348) * WIP OSS patching blog post * small post edits * oss patching blog post drafted * update date and truncate * get license out of PR template and add to ignore file * explain more why people need to know to security patch * update intro wording * edits to include githubs tooling * more credit to google * nits * change a link Co-authored-by: breadchris <chris@lunasec.io> * typo 'and' should be 'an' * update guidance to use 2.17.0 * Update guidance across all posts * better osx instructions * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update 2021-12-12-log4j-zero-day-mitigation-guide.mdx * Update the malicious links to be our domain everywhere * close read which is left open * fix admonitions * yarn stuff * include more install steps in the precache * stop demo back end from starting prematurely * delete &&, it wasnt needed * rename integration test workflow to just test Co-authored-by: Forrest <forrest@lunasec.io> Co-authored-by: Stu Tomlinson <stu@nosnilmot.com> Co-authored-by: Moya <moya@asofterspace.com> Co-authored-by: PJ Fanning <pjfanning@users.noreply.github.com> Co-authored-by: Thompson, Brian <foss.systems@icloud.com> Co-authored-by: breadchris <chris@lunasec.io> Co-authored-by: Sebastian Lövdahl <slovdahl@hibox.fi> Co-authored-by: Pascal Verdage <pascal.verdage@sgcib.com> Co-authored-by: Dan Hoizner <dan.hoizner@collibra.com> Co-authored-by: Alex Collignon <colligno@adobe.com> Co-authored-by: Forrest <light24bulbs@gmail.com> Co-authored-by: Tobi Lehman <mail@tobilehman.com> Former-commit-id: a503b02 Former-commit-id: ee712a38177db4be394be0634d3c82fccb223a2e
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Moved the "what not to do" to the bottom since it was huge and not the highest priority thing to cover.
Fixed a lot of typos.
Fixed some factual issues, like the JNDI patch being called a log4j patch.
Added more mitigation strategies.
Explained what the shell script tool is for better.