CVE-2021-44228
Apache Log4j2 <=2.14.1 RCE
Section titled “Apache Log4j2 <=2.14.1 RCE”Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Please check NSCS-NL - log4shell - IoCs
Scanners
Section titled “Scanners”Checks if the application is vulnerable to CVE-2021-44228.
| Source | Notes | Links |
|---|---|---|
| crypt0jan | Perform a scan of a single host (using Powershell) to see if it’s vulnerable | https://github.com/crypt0jan/log4j-powershell-checker |
| Huntress | Online Log4Shell Vulnerability Tester | https://log4shell.huntress.com/ |
| Canary Tokens | Log4Shell Vulnerability Tester | https://canarytokens.org/generate |
| Diverto | Nmap NSE scripts to check against log4shell | https://github.com/Diverto/nse-log4shell |
| righel | Nmap NSE script to inject jndi payloads with customizable templates into HTTP targets | https://github.com/righel/log4shell_nse |
| silentsignal | Log4Shell scanner for Burp Suite | https://github.com/silentsignal/burp-log4shell |
| Northwave Security | Northwave Log4j CVE-2021-44228 checker | https://github.com/NorthwaveSecurity/log4jcheck |
| Northwave Security | Northwave Log4j CVE-2021-44228 checker Powershell version | https://github.com/crypt0jan/log4j-powershell-checker |
| OlafHaalstra | Scans a list of URLs with GET or POST request with user defined parameters | https://github.com/OlafHaalstra/log4jcheck |
| Grype | Open source vulnerability scanner (docker), picks up nested JARs containing log4j | https://github.com/anchore/grype |
| logpresso | Scans for java files that are vulnerable and may rename it for mitigation | https://github.com/logpresso/CVE-2021-44228-Scanner |
| FullHunt | Open detection and scanning tool (Python) for discovering and fuzzing for Log4J vulnerability | https://github.com/fullhunt/log4j-scan |
| Dtact | DIVD-2021-00038 log4j scanner Scan paths including archives for vulnerable log4 | https://github.com/dtact/divd-2021-00038—log4j-scanner |
Log4j2 Detection
Section titled “Log4j2 Detection”| Source | Notes | Links |
|---|---|---|
| Neo23x0 | Florian Roth Log4j2 detection script | https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b |
| sp4ir | Powershell script to detect Log4Shell | https://github.com/sp4ir/incidentresponse/blob/35a2faae8512884bcd753f0de3fa1adc6ec326ed/Get-Log4shellVuln.ps1 |
| NCCgroup | Version hashes (MD5, SHA1 and SHA256) for log4j2 versions | https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228 |
| 1lann | Scans a file or folder recursively for jar files that may be vulnerable | https://github.com/1lann/log4shelldetect |
| Syft | Open source SBOM scanner, can detect all dependencies including log4j | https://github.com/anchore/syft/ |
| Devotech | Powershell: Queries domain servers and scans for log4j-core files. (slow) | https://github.com/devotech/check-log4j |
Mitigation
Section titled “Mitigation”Please check NSCS-NL - log4shell - mitigation
Vulnerable software overview
Section titled “Vulnerable software overview”Please check NCSC-NL - log4shell - software overview