Vulnerability Management and more

2021-12-31 20:38:47 How was my year of security blogging? Quite buzzing. I've tried different things. Something worked out, something not quite. As a result, 34 posts / videos came out. About half of them are reviews of vulnerabilities and other news, the other half are howtos, mini-researches, my open source code, my opinion on various issues. Hopefully the second part will be bigger next year, it looks like the value of this is higher. But the MS Patch Tuesday reviews will remain - this is sacred. A dozen more topics got bogged down in drafts. I hope that deliberately simplifying the production video (back to the slideshow without my face in the frame) will help finish these topics. And if not, then well, okay.

Happy New Year! Open / Comment

2021-12-27 01:16:55 Hello everyone! I decided to make a separate episode about Log4Shell. Of course, there have already been many reviews of this vulnerability. But I do it primarily for myself. It seems to me that serious problems with Log4j and similar libraries will be with us for a long time. Therefore, it would be interesting to document how it all began. So what is the root cause of Log4Shell?

Video:


Text: https://avleonov.com/2021/12/27/log4j-log4shell-rce-explained-cve-2021-44228/ Open / Comment

2021-12-17 00:10:38 Hello everyone! It’s even strange to talk about other vulnerabilities, while everyone is so focused on vulnerabilities in log4j. But life doesn’t stop. Other vulnerabilities appear every day. And of course, there are many critical ones among them that require immediate patching. This episode will be about Microsoft Patch Tuesday for December 2021. I will traditionally use my open source Vulristics tool for analysis.

Video:


Text: https://avleonov.com/2021/12/16/microsoft-patch-tuesday-december-2021/
Full report: https://avleonov.com//vulristics_reports/ms_patch_tuesday_december2021_report_with_comments_ext_img.html

#AppX #iSNS #EFS Open / Comment

2021-12-13 16:27:26 А good list of potentially vulnerable third-party products https://github.com/NCSC-NL/log4shell/tree/main/software #Log4Shell Open / Comment

2021-12-13 15:06:56 Hello everyone! In this episode, I want to talk about vulnerabilities, news and hype. The easiest way to get timely information on the most important vulnerabilities is to just read the news regularly, right? Well, I will try to reflect on this using two examples… Open / Comment

2021-12-13 12:46:28 A nice pop-up in Nessus Professional #Log4Shell Open / Comment

2021-12-13 02:54:44 Hello everyone! In this episode, I want to talk about vulnerabilities, news and hype. The easiest way to get timely information on the most important vulnerabilities is to just read the news regularly, right? Well, I will try to reflect on this using two examples from last week (#Grafana LFI and #Log4j "#Log4Shell" RCE).

Video:


Text: https://avleonov.com/2021/12/13/vulnerability-intelligence-based-on-media-hype-it-works-grafana-lfi-and-log4j-log4shell-rce/ Open / Comment

2021-12-10 22:59:10 Have a nice weekend!
Log4j CVE-2021-44228 Open / Comment

2021-12-08 16:08:29 A big Grafana day
$ curl --path-as-is /public/plugins/alertlist/../../../../../../../../../../etc/passwd

186 viewsedited  13:08

Open / Comment

2021-12-06 18:32:39 Hello everyone! This episode is about Qualys Security Day 2021 Las Vegas, Qualys VMDR, VMDR Training and exam.

Video:


Text: https://avleonov.com/2021/12/06/qsc21-vmdr-training-and-exam/ Open / Comment