CVE-2021-44228

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS breakdown

Affected products

• Apache Software Foundation / Apache Log4j22.0-beta9 – log4j-core*

Exploits & proofs of concept

• nucleiVMware vRealize Operations Tenant - JNDI Remote Code Execution (Apache Log4j)by bughuntersurya
• nucleiVMware VCenter - Remote Code Execution (Apache Log4j)by _0xf4n9x_
• nucleiVMware Operations Manager - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiVMware NSX - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiVMware Horizon - JNDI Remote Code Execution (Apache Log4j)by johnk3r
• nucleiVMware HCX - Remote Code Execution (Apache Log4j)by pussycat0x,DhiyaneshDK
• nucleiSpring Boot - Remote Code Execution (Apache Log4j)by pdteam
• nucleiCitrix XenMobile Server - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiVMware Site Recovery Manager - Remote Code Execution (Apache Log4j)by akincibor
• nucleiUniFi Network Application - Remote Code Execution (Apache Log4j)by KrE80r
• nucleiSymantec SEPM - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiSplunk Enterprise - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiSonicwall NSM - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiSeeyon OA (Log4j) - Remote Code Executionby SleepingBag945
• nucleiRundeck - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiPega - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiPapercut - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiOpenShift - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiOpenNMS - JNDI Remote Code Execution (Apache Log4j)by johnk3r
• nucleiOkta - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiMetabase - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiManage Engine Desktop Central - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiLogstash - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiJitsi Meet - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiGraylog (Log4j) - Remote Code Executionby DhiyaneshDK
• nucleiGoAnywhere Managed File Transfer - Remote Code Execution (Apache Log4j)by pussycat0x
• nucleiFortiPortal - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiF-Secure Policy Manager - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiElasticsearch 5 - Remote Code Execution (Apache Log4j)by akincibor
• nucleiCitrix XenApp - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiIvanti MobileIron (Log4j) - Remote Code Executionby meme-lord
• nucleiJamF (Log4j) - Remote Code Executionby pdteam
• nucleiApache Code42 - Remote Code Execution (Apache Log4j)by Adam Crosser
• nucleiCisco WebEx - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiCisco vManage (Log4j) - Remote Code Executionby DhiyaneshDK
• nucleiCisco Unified Communications - Remote Code Execution (Apache Log4j)by DhiyaneshDK
• nucleiCisco CloudCenter Suite (Log4j) - Remote Code Executionby pwnhxl
• nucleiCisco BroadWorks - Remote Code Execution (Apache Log4j)by shaikhyaser
• nucleiJamF Pro - Remote Code Execution (Apache Log4j)by DhiyaneshDK,pdteam
• nucleiApache Solr 7+ - Remote Code Execution (Apache Log4j)by Evan Rubinstein,nvn1729,j4vaovo
• nucleiApache OFBiz - JNDI Remote Code Execution (Apache Log4j)by pdteam
• nucleiApache Druid - Remote Code Execution (Apache Log4j)by SleepingBag945
• nucleiApache Log4j2 Remote Code Injectionby melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo

References

• MISChttps://logging.apache.org/log4j/2.x/security.html
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/10/1
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/10/2
• VENDOR_ADVISORYhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/10/3
• MISChttps://security.netapp.com/advisory/ntap-20211210-0007/
• EXPLOIThttp://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
• VENDOR_ADVISORYhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
• VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/alert-cve-2021-44228.html
• VENDOR_ADVISORYhttps://www.debian.org/security/2021/dsa-5020
• MAILING_LISThttps://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
• MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
• MISChttps://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/13/2
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/13/1
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/14/4
• VENDOR_ADVISORYhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• MISChttps://www.kb.cert.org/vuls/id/930724
• MISChttps://twitter.com/kurtseifried/status/1469345530182455296
• MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
• EXPLOIThttp://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
• EXPLOIThttp://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
• EXPLOIThttp://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html
• MISChttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
• VENDOR_ADVISORYhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/12/15/3
• EXPLOIThttp://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
• EXPLOIThttp://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
• EXPLOIThttp://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
• EXPLOIThttp://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
• EXPLOIThttp://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
• MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
• MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
• EXPLOIThttp://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
• MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
• MISChttps://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
• VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/cpujan2022.html
• EXPLOIThttp://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
• MISChttps://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
• EXPLOIThttp://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
• EXPLOIThttp://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
• MAILING_LISThttp://seclists.org/fulldisclosure/2022/Mar/23
• MISChttps://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
• MISChttps://github.com/cisagov/log4j-affected-db
• VENDOR_ADVISORYhttps://support.apple.com/kb/HT213189
• VENDOR_ADVISORYhttps://www.oracle.com/security-alerts/cpuapr2022.html
• MISChttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
• MISChttps://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
• MAILING_LISThttp://seclists.org/fulldisclosure/2022/Jul/11
• EXPLOIThttp://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
• EXPLOIThttp://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
• MAILING_LISThttp://seclists.org/fulldisclosure/2022/Dec/2
• EXPLOIThttp://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html