Q&A: John Hammond | Decipher

John Hammond of Huntress joined Dennis Fisher on the Decipher podcast this week to discuss the Apache Log4j vulnerability. This is an edited and condensed transcript of that interview.

Dennis Fisher: What was your initial reaction when you read the advisory and kind of the creeping dread dawned on you?

John Hammond: You hit the nail on the head and that this log4j package is just ubiquitous. It’s everywhere. So It’s a Java logging package and that means that whenever an application tries to keep record of any sort of activity or what happens when a user interacts or engages with the program it logs it. It keeps note of it. The gimmick is that this Log4j library added some extra functionality now the bug and vulnerability that we’re all screaming about, running around like chickens with our head cut off is that this will parse and take action upon the data presented in that log file in the entry, and the input supplied. That means hey it could reach out and actually execute code. It could call out to an external host that’s serving a malicious payload and grant a bad actor remote code execution so they could detonate and run really whatever they’d like. Honestly, that opens the door. It’s initial access. But that could then lead to privilege escalation, post-exploitation, exfiltration, persistence, lateral movement, anything.

Dennis Fisher: The way that I understand this is exploitable with just one line of code. There’s not a whole lot to it.

John Hammond: That is absolutely correct. So I’ve tried to scream and shout about this to raise awareness the best I can. I have a kind of video demonstration. I have a walkthrough and a video up on my own YouTube channel that showcases how this is so easily exploited in Minecraft, the silly kids game. That’s I think where this started to blow up. Truthfully it’s very hard to validate and verify what is vulnerable and where because this package this logging functionality could be baked into any aspect of a program and that’s what’s so sinister about this vulnerability and that, yeah sure it’s a zero day but other security researchers have likened this to like a cluster bomb of zero days and it’s so many different…