Summary
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. The vulnerability is referenced as CVE-2021-44228.
Exploited in the wild
YES! There is evidence of it being exploited in the wild.
Supported protocols:
{jndi:ldap:/
{jndi:rmi:/
{jndi:ldaps:/
{jndi:dns:/
{jndi:iiop:/
{jndi:http:/
{jndi:nis:/
{jndi:nds:/
{jndi:corba:/
How to fix
Update to 2.15.0 or newer.
References
- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- apache/logging-log4j2#608
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
- https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (https://t.co/GgksMUlf94).
Query our API for “tags=CVE-2021-44228” for source IP addresses and other IOCs. #threatintel
— Bad Packets (@bad_packets) December 10, 2021
About the application
According to Wikipedia, Apache Log4j is a Java-based logging utility. It was originally written by Ceki Gülcü and is part of the Apache Logging Services project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.
