Vulnerability Details : CVE-2021-44228

Exploit prediction scoring system (EPSS) score for CVE-2021-44228

Metasploit modules for CVE-2021-44228

• MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)

  Disclosure Date : 2021-12-12

  exploit/linux/http/mobileiron_core_log4shell

  MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This module will start an LDAP server that the target will need to connect to. Authors: - Spencer McIntyre - RageLtMan <rageltman@sempervictus> - rwincey - jbaines-r7

  More information

• Log4Shell HTTP Header Injection

  Disclosure Date : 2021-12-09

  exploit/multi/http/log4shell_header_injection

  Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must

  More information

• VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)

  Disclosure Date : 2021-12-09

  exploit/multi/http/vmware_vcenter_log4shell

  VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector. Authors: - Spencer McIntyre - RageLtMan <rageltman@sempervictus> - jbaines-r7 - w3bd3vil

  More information

• UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)

  Disclosure Date : 2021-12-09

  exploit/multi/http/ubiquiti_unifi_log4shell

  The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the /api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the server application. This module will start an LDAP server that the target will need to connect to. Authors: - Spencer McIntyre - RageLtMan <rageltman@sempervictus> - Nicholas Anastasi

  More information

• Log4Shell HTTP Scanner

  Disclosure Date : 2021-12-09

  auxiliary/scanner/http/log4shell_scanner

  Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include HTTP headers and the HTTP request path. Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki, Apache OFBiz. Authors: - Spencer McIntyre - RageLtMan <rageltman@sempervictus>

  More information

CVSS scores for CVE-2021-44228

CWE ids for CVE-2021-44228

• CWE-20 Improper Input Validation
  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
  Assigned by: [email protected] (Primary)
• CWE-400 Uncontrolled Resource Consumption
  The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
  Assigned by: [email protected] (Primary)
• CWE-502 Deserialization of Untrusted Data
  The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
  Assigned by: [email protected] (Primary)
• CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
  The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
  Assigned by: [email protected] (Secondary)

References for CVE-2021-44228

Products affected by CVE-2021-44228