CVE-2021-44228: Remote code injection in Log4j
(updated )
Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache’s Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.
Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the Updated advice for version 2.16.0 section of this advisory.
References
- cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- github.com/advisories/GHSA-7rjr-3q55-vv33
- github.com/advisories/GHSA-jfh8-c2jp-5v3q
- github.com/apache/logging-log4j2
- github.com/apache/logging-log4j2/pull/608
- github.com/cisagov/log4j-affected-db
- github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
- github.com/github/advisory-database/pull/5501
- github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
- github.com/tangxiaofeng7/apache-log4j-poc
- issues.apache.org/jira/browse/LOG4J2-3198
- issues.apache.org/jira/browse/LOG4J2-3201
- issues.apache.org/jira/browse/LOG4J2-3214
- issues.apache.org/jira/browse/LOG4J2-3221
- lists.debian.org/debian-lts-announce/2021/12/msg00007.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM
- logging.apache.org/log4j/2.x/changes-report.html
- logging.apache.org/log4j/2.x/manual/lookups.html
- logging.apache.org/log4j/2.x/manual/migration.html
- logging.apache.org/log4j/2.x/security.html
- msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2
- nvd.nist.gov/vuln/detail/CVE-2021-44228
- packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
- packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
- packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- seclists.org/fulldisclosure/2022/Dec/2
- seclists.org/fulldisclosure/2022/Jul/11
- seclists.org/fulldisclosure/2022/Mar/23
- security.netapp.com/advisory/ntap-20211210-0007
- support.apple.com/kb/HT213189
- twitter.com/kurtseifried/status/1469345530182455296
- www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
- www.debian.org/security/2021/dsa-5020
- www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- www.kb.cert.org/vuls/id/930724
- www.nu11secur1ty.com/2021/12/cve-2021-44228.html
- www.oracle.com/security-alerts/alert-cve-2021-44228.html
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
Code Behaviors & Features
Detect and mitigate CVE-2021-44228 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →