*Foreword* The video is about web applications as one of the many examples of the Log4j vulnerability, from which Vulnerability However, any software that uses Log4j is potentially affected.
In the Log4j lists (see links below) of products and vendors you can read all the big names in the software world such as Microsoft, Dell, IBM, SAP, Teamviewer etc.
Online as well as offline, private as well as companies and other institutions are affected, simply everyone and potentially every product that is equipped with a software that uses Log4j (investigations are ongoing, hundreds of vendors and products of global importance have already been listed):
This short video is about the Log4j vulnerability that currently threatens the Internet worldwide.
In our demo, we briefly show how an attacker exploiting the Log4j vulnerability establishes a remote connection to the attacking system via normal input forms on a web page; in this example, the attacker can completely control the web application and subsequently the web server.
It is enough to use the Vulnerability usually any input field on a web page e.g. a search field in a webshop, the used technology behind search fields in webshops is usually ElasticSearch and ElasticSearch is vulnerable.
With the Log4j-Vulnerability baffles the simplicity in exploitability.
The attacker gains root privileges in this example, as the web server runs in the root context, thus a complete takeover of the server is possible.
Any data can be extracted or further hacking attacks can be performed on the web application or other Internet subscribers.
Feel free to consult us for advice or to troubleshoot Log4j Vulnerabilityn in your company.
We have experienced Java programmers and administrators (Linux + Windows) on board who are happy to check your IT systems and audit source code of deployed software as well as IT systems and software can harden against Log4j.
In the event of incidents in connection with Log4j, there may be a duty to notify the authorities, e.g. the state data protection authority, if personal data is affected.
The demo was performed on our test systems, no one was harmed and no one was punished.