Hi, I saw sherlock demoed at the 2021 Druid conference and it really stoked my interest. I haven't used it yet because I noticed the log4j version is within the range of versions vulnerable to the JNDI lookup vulnerability that was discovered earlier this year(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). I was curious: is the corresponding lookup feature currently disabled in sherlock and/or are there are plans to upgrade to log4j2.15 or later?
Thanks!
Hi, I saw sherlock demoed at the 2021 Druid conference and it really stoked my interest. I haven't used it yet because I noticed the log4j version is within the range of versions vulnerable to the JNDI lookup vulnerability that was discovered earlier this year(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). I was curious: is the corresponding lookup feature currently disabled in sherlock and/or are there are plans to upgrade to log4j2.15 or later?
Thanks!