Douglas Everson (Clemson University), Long Cheng (Clemson University), and Zhenkai Zhang (Clemson University)

The log4shell vulnerability has been called one of the most significant cybersecurity vulnerabilities in recent history. For weeks after initial disclosure, companies around the globe scrambled to respond by patching their systems or by applying mitigating security measures to protect systems that could not be readily patched. There are many possible ways to detect if and where an organization is vulnerable to log4shell, each with advantages and disadvantages. Penetration testing in particular is one possible solution, though its results can be misleading if not interpreted in the proper context. Mitigation measures have varying degrees of success: Web Application Firewalls (WAFs) could be bypassed, whereas our analysis revealed that outbound network restrictions would have provided an effective protection given the rapidly evolving patch cycle. Ultimately, log4shell should change the way we look at web attack surfaces; doing so will ensure we can be better prepared for the next critical zero-day Remote Code Execution (RCE) vulnerability.

Index Terms—Log4j; Web Attack Surface; Penetration Testing

View More Papers

Above and Beyond: Organizational Efforts to Complement U.S. Digital...

Rock Stevens (University of Maryland), Faris Bugra Kokulu (Arizona State University), Adam Doupé (Arizona State University), Michelle L. Mazurek (University of Maryland)

Read More

Demo: A Simulator for Cooperative and Automated Driving Security

Mohammed Lamine Bouchouia (Telecom Paris - Institut Polytechnique de Paris), Jean-Philippe Monteuuis (Qualcomm), Houda Labiod (Telecom Paris - Institut Polytechnique de Paris), Ons Jelassi, Wafa Ben Jaballah (Thales) and Jonathan Petit (Telecom Paris - Institut Polytechnique de Paris)

Read More

Demo #11: Understanding the Effects of Paint Colors on...

Shaik Sabiha (University at Buffalo), Keyan Guo (University at Buffalo), Foad Hajiaghajani (University at Buffalo), Chunming Qiao (University at Buffalo), Hongxin Hu (University at Buffalo) and Ziming Zhao (University at Buffalo)

Read More

HTTPS-Only: Upgrading all connections to https: in Web Browsers

Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein (Mozilla Corporation), Thyla van der Merwey (ETH Zurich)

Read More