Slide 15
Slide 15 text
Reference
■ Log4j, CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html#Older_.28discredited.29_mitigation_measures
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
■ JNDI, Deserialization
- https://www.veracode.com/blog/research/exploiting-jndi-injections-java
- https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-
Manipulation-To-RCE.pdf
- https://cheatsheetseries.owasp.org/assets/Deserialization_Cheat_Sheet_GOD16Deserialization.pdf
■ PoC
- https://github.com/okuken/sectest_java
- https://github.com/pimps/JNDI-Exploit-Kit
- https://github.com/frohoff/ysoserial