Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
CVE-2021-44228

10CRITICAL

Key Information:

Vendor
Apache
Status
Apache Log4j2
Vendor
CVE Published:
10 December 2021

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%🦅 CISA Reported

Summary

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

Affected Version(s)

Apache Log4j2 2.0-beta9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

log4j-scan
Created by fullhunt

log4j-shell-poc
Created by kozmer

log4shell-vulnerable-app
Created by christophetd

References

https://logging.apache.org/log4j/2.x/security.html
http://www.openwall.com/lists/oss-security/2021/12/10/1
mailing-list
http://www.openwall.com/lists/oss-security/2021/12/10/2
mailing-list

EPSS Score

94% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
.