惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
F
Fortinet All Blogs
U
Unit 42
F
Full Disclosure
雷峰网
雷峰网
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
罗磊的独立博客
D
DataBreaches.Net
C
Check Point Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
O
OpenAI News
C
CXSECURITY Database RSS Feed - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
S
Security @ Cisco Blogs
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Hacker News
The Hacker News
Webroot Blog
Webroot Blog
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
N
News | PayPal Newsroom
P
Proofpoint News Feed
B
Blog RSS Feed
MongoDB | Blog
MongoDB | Blog
C
Cybersecurity and Infrastructure Security Agency CISA
N
News and Events Feed by Topic
Google Online Security Blog
Google Online Security Blog
H
Help Net Security
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog
M
MIT News - Artificial intelligence
Vercel News
Vercel News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
IT之家
IT之家
MyScale Blog
MyScale Blog
腾讯CDC

Wiz Blog | RSS feed

Meet Wiz for M365: Bringing SaaS into the Security Graph Bringing Security Visibility to Vercel with Wiz Axios NPM Distribution Compromised in Supply Chain Attack Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild The Wiz Blue Agent, now Generally Available Beyond the Badge: What Achieving Microsoft’s Certified Software Designation Means for Your Cloud Security Introducing the Green Agent: AI-Powered Remediation for the Cloud Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack Introducing the Wiz Red Agent- AI-Powered Attacker Introducing Wiz AI Application Protection Platform (AI-APP) Introducing Wiz Agents & Workflows: Security at the Speed of AI AI Runtime Threat Detection: From Input to Real-World Impact Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack It’s Official: Wiz Joins Google Understanding and Reducing AI Risk in Modern Applications Introducing Wiz Tenant Manager: Multi-Tenant Management for Federated Organizations The Agile FedRAMP Playbook, Part 4: Reactive Risk Management through Enriched Incident Response Wiz Achieves CPSTIC Certification in Spain Seeing AI Clearly: Building Visibility Across Modern AI Applications The Agile FedRAMP Playbook, Part 3: Preventative Risk Management by building Secure by Design Wiz Leads the 2026 Latio Application Security Report with awards in 4 categories Building an Agentic Cloud Security Ecosystem: A Reference Architecture with Wiz MCP and Infosys Cyber Next The Agile FedRAMP Playbook, Part 2: Proactive Risk Management with Continuous Monitoring Cloud-native Security for your Windows environment: Announcing the Wiz Runtime Sensor for Windows Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs Wiz Named a Leader in The Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 From Detection to Remediation: It’s Time to Rethink AppSec Around Exploitability and Root Cause Fixes The Agile FedRAMP Playbook, Part 1: Why Risk is Your Best Starting Point Introducing AI Cyber Model Arena: A Real-World Benchmark for AI Agents in Cybersecurity Wiz + Spotify Backstage: Security at the Developer’s Desk Building AI Security Together: New Ways to Partner with Wiz for AI Security in 2026 Hacking Moltbook: The AI Social Network Any Human Can Control The Year in Wiz Research: 2025 Most Read Blogs WizExtend is Here: AI and Cloud Security Insights in Your Daily Workflow From Detection to Remediation: Wiz in Your JetBrains IDE Agentic Browser Security: 2025 Year-End Review CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild A 90-Day Action Plan to Turn Resolutions into Results with Wiz Introducing the Wiz Partner Alliance: A New Chapter for Partner Success Preparing for Post-Quantum Cryptography Wiz Recognized as a 2025 Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for CNAPP Expanding the Zero Critical Club to set a new standard for AppSec and SecOps teams Snipping the Long Tail of Shai-Hulud 2.0 Protecting Against Zero-Day Vulnerabilities with SOC-Level ASM Alert MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know The Kenna Transition: Your Strategic Shift to Exposure Management From MCP to Vibe Coding: Full Endpoint Visibility in Wiz AI Security Bringing Oracle Cloud Identity to Wiz Zero‑Days in the Age of AI: Behind the Scenes of ZeroDay.cloud 2025, with a Record High of CVEs in Critical Cloud Infra Gogs 0-Day Exploited in the Wild Code to Cloud Attacks: From Github PAT to Cloud Control Plane Top AWS re:Invent Announcements for Security Teams in 2025 React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 React2Shell (CVE-2025-55182): Everything You Need to Know About the Critical React Vulnerability Wiz Product Announcements at re:Invent 2025: Expanding Visibility from Code to Cloud Introducing Wiz SAST: Where Code Risk Meets Cloud Context Wiz Becomes Fastest Security ISV to Reach $1 Billion in AWS Marketplace Lifetime Sales It's Here! Wiz Exposure Management is Now GA Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact Service Catalog is Here: Expand Risk Visibility for Your Service and Its Dependencies, Simplify Issue Ownership WizOS: Powering Secured Image Adoption with AI 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs Mastering Software Governance with Hosted Technologies Inventory Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets Get Certified on Wiz Defend for Threat Detection and Response Blueprint for Security: A Guide to Code, Governance, and Response Frameworks Google Unified Security Recommended Program Names Wiz Among First 3 Strategic Partners Introducing Posture Issues: Transform Security Findings into Actionable Outcomes Empower and Accelerate Your SOC with the Blue Agent Exposure Report: 65% of Leading AI Companies Found with Verified Secret Leaks Wizdom 2025 Product Announcements: Extending the Cloud Operating Model When AI Becomes the Heart of Security: Powering a Future You Can Trust AI-Powered Wiz: From Agents to Everyday Intelligence Defend Agentless Workload Detection: Bringing Visibility to Blind Spots in Threat Detection Securing AI Agents with Wiz AI-SPM Introducing Wiz ASM: Context-Driven Attack Surface Management Securing Critical Infrastructure in the Cloud Era: A Policy and Technology Blueprint How CISOs Should Plan Security Budgets for 2026 Beyond the Checkbox: How Wiz Transforms SOC 2 into a Security Powerhouse Bringing Visibility to Kubernetes: Unified Inventory and Network Insight The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces Introducing HoneyBee: How We Automate Honeypot Deployment for Threat Research RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score Defending against database ransomware attacks AI Security 101: Mapping the AI Attack Surface Introducing zeroday.cloud: First-of-its-kind cloud and AI hacking competition Unifying Cloud Risk and Network Defense: Wiz and Check Point The emerging use of malware invoking AI Wiz achieves FedRAMP High authorization Wiz + HCP Terraform: Close the IaC-to-Cloud Infrastructure Security Gap IMDS Abused: Hunting Rare Behaviors to Uncover Exploits Beyond CVEs: The Exploitation of Everyday Misconfigurations Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them Introducing Wiz Incident Response: Your Expert Partner for Cloud Security Incidents Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware DORA Compliance in the Cloud Era: Insights from Deloitte and Wiz How Wiz Customers like Brex and FICO See AI Changing Security Wiz Recognized as a Leader in the 2025 IDC MarketScape for ASPM
Log4Shell: Wrap all your Log4j fixes before the holidays
2021-12-21 · via Wiz Blog | RSS feed

December 28, 2021 update - CVE-2021-44832, a new Log4j vulnerability
On December 28, 2021, Apache released new log4j version 2.17.1 to address CVE-2021-44832, a new remote code execution vulnerability affecting log4j 2.0-alpha7 - 2.17.0 excluding 2.3.2 and 2.12.4 versions. Wiz detects CVE-2021-44832.

The vulnerability severity is 6.6 as the exploit applies only if the attacker can modify the log4j configuration file.
Therefore, Wiz recommends focusing on patching workloads vulnerable to CVE-2021-44228 (the original log4shell) first, as it's easier to exploit and heavily exploited in the wild.

Ever since Log4Shell came into our lives, the internet has been flooded with daily Log4Shell CVEs updates, Log4j releases, as well as outdated recommendations and discredited mitigations. With all this data abundance, it is challenging to keep up or know what you should do next. Our research shows that among the organizations that mitigated the Log4j vulnerabilities 55% of their workloads are still vulnerable to Log4Shell (as of December 21, 2021). The main challenge here is understanding the existing infrastructure, and identifying the location of all vulnerable Log4j libraries.

Meanwhile, attackers are on the hunt to exploit Log4Shell in the wild. In days, they probed half of all corporate networks globally for the exploit. With more than a hundred variants of Log4Shell exploits, mishandling or slow handling of the situation could quickly escalate to your worst nightmare of data leaks, ransomware, or an infrastructure overtake.

This post covers all the latest updates, and presents you with guidelines to identify all vulnerable versions of Log4j in your cloud environment, hopefully before you leave for the holiday season with your beloved ones.

How to prioritize patching

Before we dive into the Log4Shell events and details, let’s start with a summary of the four Log4j vulnerabilities that were discovered in the past 10 days.

Wiz recommends security teams focus on resources that are still vulnerable to CVE-2021-44228 first, with log4j version lower than 2.15.0 (the original Log4Shell vulnerability), since it is easier to exploit and is still being heavily exploited in the wild. As new patches keep coming, ensure you’re patching to the latest version of log4j (2.17 as of December 21, 2021).

We've seen environments with hundreds of different workloads vulnerable to Log4Shell. Handling all of them at once is impossible. Therefore, we recommend prioritizing resources that are:

  • Publicly exposed—Public exposure to the internet allows malicious actors to scan public addresses and try to send crafted messages to those addresses. VMs that are publicly facing and may have server logging via log4j can receive these messages and be compromised.

  • Highly privileged—If a highly privileged VM is compromised, attackers can try to use the role the VM can assume to access resources and make changes in your environment, For example, it's quite common for VMs to be able to assume an AWS Role that has s3:* permissions. Compromised VMs with such permissions allow attackers to read every bucket in your environment or even delete buckets.

Then, you can move on to updating resources that are still vulnerable to the rest of the log4j vulnerabilities.

How it all began

On Dec 9, Alibaba's Cloud Security Team publicly disclosed a vulnerability with a 10/10 rating in a ubiquitous, most popular, Java logging library, Apache Log4j. This vulnerability allowed attackers to execute code remotely in various backends that use this library—thousands of cyber attacks followed. Less than a day after the CVE was published, Deutsche Telekom CERT tweeted about attacks in its honeypot infrastructure:

On Dec 14, by the time agile software developers patched their code, IT admins rushed to update their software and DevOps placed mitigations to prevent this RCE attack. Also, Log4j published a second 2.16.0 update. This update covered a non-default configuration vulnerability that was missing in the first update. At first, this CVE was rated low and allowed Denial of Service (DoS) attacks, so sysadmins were content with updating to 2.15.0 and postponed the update to 2.16.0 for later.

On Dec 18, the Apache Logging security team raised the second CVE rating from moderate 3.7 to critical 9.0 and changed the title from DoS to Remote Code Execution (RCE). And that’s not all - a third Log4j 2.17.0 update was published to fix yet another new 7.5 rated DoS vulnerability!

Log4Shell exploitation in the wild

Cloudflare reported seeing testing of the vulnerability on Dec 1, eight days before the vulnerability was made public. As of mid-December, this vulnerability has been actively exploited in the wild, primarily by botnets and coin miners. Two groups, in particular, stood out:

  • Mirai—One of the most significant botnets targeting exposed networking devices running Linux. Several different variants of Mirai exploit Log4j vulnerabilities.

  • Kinsing—Golang-based malware. It runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim's environment. For more information regarding the IOCs and malware groups using the Log4Shell vulnerability, see the Log4Shell-IOCs page on github.

Ransomware groups were not lagging behind and joined the party, leveraging Log4Shell for initial access and lateral movement. Bitdefender researchers discovered Log4Shell attempts to deploy ransomware on Windows machines connected to compromised Minecraft servers. The Microsoft Threat Intelligence Center (MSTIC) reported tracking multiple nation-state activity originating from China, Iran, North Korea, and Turkey.

How does the Log4Shell attack work

These vulnerabilities come down to unsanitized user input that reaches software and tells it what to do. If you recall the SQL Injection, then you realize it’s the oldest play in the book, and that there is nothing new or fancy here. Log4j comes down to a feature called Lookups, that was introduced in Log4j 2.0.

Does this mean Log4J 1.x is not vulnerable to this attack? No, it might still be susceptible to a separately reported CVE-2021-4104 that, similarly to CVE-2021-44228, allows Remote Code Execution if your logging configuration has JMSAppender configured in it. Regardless, Log4j 1.x is not supported and has had no security patches since 2015.

Lookups allow users to pass variables and commands down to Log4j, which evaluates and handles them. For example, it is helpful to log a user's name to understand the context of the log, e.g. $${ctx:userName}. If the user can manipulate this variable, a malicious actor could leverage that to pass values that command Log4j to perform actions it shouldn't perform.

An attack commonly seen in the wild utilizes the HTTP user-agent, similar to the ShellShock of 2014. This HTTPS header usually contains the browser and the OS names and versions to allow servers to handle their users better. Usually, it looks like this: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0

Here is an example of a user-agent value used in the wild by attackers:

If ${jdni:ldap:URL} ends up in Log4j, it will trigger loading and executing code from the URL that the attacker controls. CVE-2021-44228 covers exactly this scenario. The above command instructs Log4j to use Java Naming and Directory Interface (JNDI). JNDI is a Java runtime Application Programming Interface (API) that can retrieve objects from remote servers using a few protocols. The lookup command instructs connecting to 715de0e31919[.]bingsearchlib[.]com[:]39356 using the Lightweight Directory Access Protocol (LDAP) protocol, and fetching the object a. Both JNDI and LDAP are well-documented protocols that an attacker can leverage to execute code.

LDAP is not the only JNDI service, and Juniper reported a shift to use RMI instead of LDAP. The other two CVEs cover different scenarios using the same strategy: an attacker crafts malicious data input that bypasses various mitigations in Log4j and its configurations, which results in Remote Code Execution, data leaks, or Denial of Service.

Why is Log4Shell such a critical issue

As we have seen, Log4Shell raised three main challenges:

  • Proper identification of impacted software— How do you even begin to search for software that uses another software that uses Log4j across your entire infrastructure? Can/should you even trust the chain to report the issue to you on time?

  • Efficient and fast remediation—Even after locating all the relevant software, rolling out updates takes time. If updates are not available, patching is even more complex and error-prone.

  • The resurrection of concepts considered long gone—Since SQL Injections first became known, sanitizing queries received an emphasis but did not become a security practice anywhere. In such an attack vector, it's not only the external servers that are at risk.

Consider user input that is stored in a DB, and is later retrieved and logged. A malicious payload sent by the user could get into the DB, and later, the logger would receive it. The next misconception is that sanitizing inputs in your external-facing server is enough to prevent such attacks. If you check the input and discard it before you store it, that would help you prevent the attack from the previous example. You could use "probably the most comprehensive Regex I’ve seen yet to identify Log4Shell exploitation attempts":

But imagine what would happen if the data received is compressed or encoded, like ZIP or base64:

The receiving server sanitizes the input and makes sure that it does not contain a malicious payload or contains base64, as it should. Later, the other service (that does not even suspect that the value originated from the user), decodes it using base64, and sends the actual payload to Log4j:

Which versions of Log4j can I use safely

As of Dec 28, you should upgrade to the latest Log4j version:

  • If you use Java 8 (or later), upgrade the library to 2.17.1.

  • If you use Java 7 or need JNDI, upgrade to 2.12.4.

  • If you use Java 7 or need JNDI, upgrade to 2.3.2.

Log4j and many others suggested different mitigations. For example: fixing the issue by disabling lookups in certain situations using methods similar to log4j2.formatMsgNoLookups or using "%message{nolookups}". You should not use that recommendation anymore as it is insufficient in many cases and discredited.

Which software is affected by the Log4j vulnerability?

Exploiting Log4Shell is easy, and there are many resources and examples online. The use of vulnerable Log4j is so widespread that we suggest categorizing it:

  • Appliance, various *aaS services, and third-party software that uses vulnerable Log4j

  • Proprietary software that is developed or maintained internally and uses vulnerable Log4j

How to locate all the software that uses Log4j

For internally developed software, developers should follow the mitigation steps published by the Log4j security team. We suggest updating vulnerable libraries to the latest version. As proved in the last few days, other mitigations can leave your software vulnerable to further attacks. We do not recommend using Pattern Layout or other similar techniques on any unsanitized input from users.

Which other mitigations can I apply

Network-level mitigations could be an excellent temporary solution while you work on updating your stack. For example, you can set up Web Application Firewall (WAF) to prevent common attacks from reaching your potentially exploitable software, and prevent your servers from initiating outbound to unknown or black-listed domains.

Which third-party appliances, services, and software use Log4j?

Software vendors of appliances, services, and software that you use depend on open source as part of their stack. Their dependence on vulnerable Log4j makes you vulnerable too. All the major vendors used Log4j and reported that Log4Shell impacted them. All types of software are affected: management software like vCenter, backend solutions like Elastic, Kafka, and even Minecraft. Locating and updating the software is crucial.

Follow the steps provided by the software vendor to fix and mitigate the Log4Shell attack. Sometimes, manual actions are required even in the case of affected "managed services" by vendors like Amazon, Google, and Microsoft. The National Cyber Security Centre of Netherlands(NCSC-NL) is an excellent source for reports about Log4Shell and maintains a list of all the software, affected versions, and required mitigation steps.

Identifying if a software uses Log4j

Sometimes there is a need for a "black box" assessment of software to ensure it is not vulnerable. Here are some quick tips to help you out:

  • If you're confident that the software never executes Java, it doesn't use Log4j inside it. Log4Shell does not impact projects like Log4net and Log4cxx.

  • You can scan and locate log4j-core files.

  • For your self-developed software, search for log4j references.

  • The NCSC-NL offers a list of tools to help you detect if the software uses Log4j.

However, there are still other scenarios that are not covered above, such as recursive decencies that require deeper file analysis. With all the above detection challenges and more, Wiz can help (see below)✨

Answering all those questions is a tedious task that usually requires gaining full access to all your resources, and many tools to perform all those different queries. Manually checking whether a machine is vulnerable requires accessing it, even if it is not vulnerable.

Use Wiz to detect, track, and prioritize log4j remediation

Wiz detects log4j vulnerabilities on all cloud workloads, including VMs, containers, serverless functions and even virtual appliances. Wiz allows you to query your infrastructure stack at once, effortlessly. You can get immediate insights about all vulnerable appliances and services even if they are closed source, third-party software that uses Log4j, or your software embeds vulnerable Log4j in it. Additionally, customers can use the Wiz Security Graph to focus remediation effort on the workloads that are at greatest risk (e.g. workloads that are effectively exposed to the internet or ones that have access to sensitive resources).