Introduction
Overview of Log4j vuln (as of 16 December 2021)
Why is it a big deal? (impact/criticality/risk)
Talk about patching vs. mitigation
why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java?
Good callout is building slides to brief org leadership, detections, and other educational tools.
Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue)
Are there other technologies like log4j that prop up the entire world, and we just don’t know?
Egress traffic (discussed at length on twitter, what problems it solve?)
https://twitter.com/mubix/status/1470430085169745920
Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/