As a dev I never thought of security in such detail, but after watching this channel I have been practicing to analyse my code for vulnerability and avoid developing features that can be used as vulnerability in combination. My favourite approach is to never make a magic function. Thank you!

As a professional Java developer, I have never once heard someone call log4j "Log Forge". And considering the name literally means "Log for Java", I would argue anyone saying "Log Forge" is wrong. Although i suppose this is probably just another gif situation lol

Now you just need to put a sudoedit payload in a log4j injection xD

For anyone wondering how did they fix this difference in URI parsing behaviours -> They didn't. They just completely removed the whitelisting checks and restricted the whole shebang to only `java` scheme, so no LDAP URIs would pass through.

Great dive into this CVE, since I don’t work with Java I took this one as an FYI so it’s great to come across an easily digestible report on it. 😄

Missed opportunity to play some jazz while the fuzzer runs. Thanks for the video.

It's always worth it.. watching the content you make.

Jazzer looks neat - thanks for the reference.

Wünsch mir mehr java videos von dir. Weiß du machst nicht viel mit Java, aber es ist relevanter für Programmierer (weil beliebte Sprache). Keep up the good Content junge

Great video, thank you! I feel something is missing in the video - still nor clear why MacOS and alpine are affected? Maybe other operating systems? Why? Probably because of different libc implementations that provide DNS resolution functionality.

This is extremely awesome

This was a fruitful collaboration. Thanks @liveoverflow for the insights. It's always amazing to see top hackers coming together!

Training to be a Java SDET and we're covering Log4J tomorrow..time to learn beforehand haha

18:10 'Z'ystems :D 🇩🇪 continuing the sentence they become system again :D

Log(ing) for J(ava) U had it right the first time.

I really enjoyed this! Good video.

Thanks for another video! 😎

Man Man Man !!! You over simplified that initial statement. I understood this in half sleep.

So, the bypass was found through a parser differential. But it only works on MacOS... Because of a parser differential 😳

but woudn't the remote code execution requre that somone actually registers the localhost# domain witch is impossible since it's invalid. Even if someone is running macos and it parses the invalid hostname the dns server shoudn't return anything since the hostname is still invalid. So this is actully not exploitable unless the DNS server is also vunerable or the attacker controls the dns server.

linux pwnkit what about it ?

9:00 it's that thing that happened in chrome, aka url parsing's jank sometimes

How can you inject your code via this localhost# URLs though? You say "the connection worked" for the other dude, but the connection to what? There clearly can't be a doman like localhost# - so how did he actually inject something? What did the DNS resolve and how could it resolve anything at all? o_O

8:44 Nah, it doesn't look good, still seems overly complex. Too many nested ifs, this could use the early return pattern. Which you definitely should use whenever you do safety checks, you should return instantly when anything is wrong and do operations only when all is right.

thanks for a new video ❤️❤️

11:51 which IDE is that?

Since when was log4j pronounced as log forge?

Just curious if you have noticed CVE-2017-5645? Probably very early sign of the novadays problems

ThreadContext Maps are not log4j specific. It is a common concept and std library component in enterprise java developement.

Great video, hopefully you will do the same with the iMessage zero-click exploit

Good job bro 👍👍👍

When can we expect the complete 100% patch for this new log4j?

Awesome👍

best man

Really.. the people saying that you pronounced Log4j wrong are really acting like they didnt miss pronounce it wrong the first time they seen it... I literally see 'Log4j'.. not 'Log Forge'..

thank you very much for this asome video .does Anthony Weems has a youtube channel?

Show this to all the apple stans thinking MacOS is safe from hacking

I didn't know that Michael Cera had a hobby in informatic security

Imagine having your PRs broadcast and scrutinized all across the web. Glad we're doing it, but that would be a pulse-raiser.

Logforge, what? :D

didnt know michael cera is into programming

I thought this was Micheal Cera on the thumbnail

Comment for the algorithm.

I'm just sad that such Exploits exist, why would anyone want to write their own stupid URI parser instead of using the native/built-in one that Is heavily relied on and tested very well ?

Yo, Michael Cera, what up?

So what I'm hearing is "It's always DNS" :)

4j is always pronounced as for-j

hey thanks for "scanning my minecraft server for a project" aka testing for log4j vulnerability on my private server w/o my permission- which is illegal by the way- i've banned your username X_senpai_ and i'm reporting the droplet you used to Digital Ocean.

Hey Michael Cera

this is endless loop off breaking by hackers and repairing Log4j by maintainers, 2 hackers are more dangerous together.

i want to learn from you

Hi

You say "hash sign", all I hear is pound key

The best fix is just to delete log4j and Blacklist its inclusing. Meiß log4j raus und sperr jvm build vom einfügen.

LMAO "Log Forge" they probably say it like that cause it was mostly popularized on minecraft, and the "Forge" mod loader users were affected the most. Still it sounds fucking stupid

fuzzing router

If a logging library has capability to parse expressions from log input. Whoever made that should be banned from programing ever again. The question lies elsewhere. Its a logging library. I expect it to know how write logs to console, file, or to dev null. Why it has lookups? Its clearly bloated. I have nothing against additional functionality. But if you really feel like logging library also have to know how to cook pancakes and fix cars make these features disabled by default, or in better case make them as plugins dustributed in separate jars So your stupidity wont even get into my classpath If you develop such bloated software you clearly failed as a project manager.

Nice video, very interesting! :)