13 Dec
2021
13 Dec
'21
6 a.m.
It's not true. It can pull from other ports, URLs, make DNS calls, and seems to evaluate even from environment variables. It's a "virtual machine". On 13 Dec 2021, at 11:54, Jean St-Laurent via NANOG wrote:
Well if you look to the right you won't see it, but if you look to the left you will see it.
Meaning, that for a successful attack to work, the infected host needs to first download a payload from ldap.
And ldap runs on port 389/636.
You probably can't see the log4j vulnerability in the https, but you should be able to see your servers querying weird stuff on internet on port 389/636.
Just don't allow your important hosts to fetch payload on internet on port 389/636.
Et voila! Look to the left, not to the right.
Jean