The devil is in the details. As a random example, you might have a process where... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

PeterisP on Dec 12, 2021 | parent | context | favorite | on: CISA Director on Log4j Vulnerability

The devil is in the details. As a random example, you might have a process where all the pre-WAF requests (or explicitly the requests blocked by WAF) get forwarded to a log analysis system that itself uses log4j and is vulnerable, allowing the attacker to gain RCE in your monitoring infrastructure.

Also, blocking any request containing "{" is tricky - like, that's so generic that it's time-consuming to verify that it won't break anything, and it's very likely that JSON is used somewhere in that application traffic, so you can't simply do that.

Thorrez on Dec 13, 2021 [–]

You could also have a log analysis system that displays logs in the browser and has an XSS vulnerability. So that bypass isn't unique to log4j.

> JSON

You could probably write a more advanced check than just "{" that would let most JSON through while still blocking the attack.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact