Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Published 2021-12-10 10:15:09
Updated 2024-07-24 17:08:24
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2021-44228

CVE-2021-44228 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Apache Log4j2 Remote Code Execution Vulnerability
CISA required action:
For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitiga
CISA description:
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Added on 2021-12-10 Action due date 2021-12-24

Exploit prediction scoring system (EPSS) score for CVE-2021-44228

96.76%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-44228

  • Log4Shell HTTP Scanner
    Disclosure Date: 2021-12-09
    First seen: 2022-12-23
    auxiliary/scanner/http/log4shell_scanner
    Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will scan an HTTP end point for the Log4Shell vu
  • VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)
    Disclosure Date: 2021-12-09
    First seen: 2022-12-23
    exploit/multi/http/vmware_vcenter_log4shell
    VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the ca
  • MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)
    Disclosure Date: 2021-12-12
    First seen: 2022-12-23
    exploit/linux/http/mobileiron_core_log4shell
    MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This module
  • Log4Shell HTTP Header Injection
    Disclosure Date: 2021-12-09
    First seen: 2022-12-23
    exploit/multi/http/log4shell_header_injection
    Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shel
  • UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)
    Disclosure Date: 2021-12-09
    First seen: 2022-12-23
    exploit/multi/http/ubiquiti_unifi_log4shell
    The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the /api/login endpoint that will cause the server to connect to t

CVSS scores for CVE-2021-44228

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.3
HIGH AV:N/AC:M/Au:N/C:C/I:C/A:C
8.6
10.0
NIST
10.0
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
3.9
6.0
NIST

CWE ids for CVE-2021-44228

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by: security@apache.org (Primary)
  • The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
    Assigned by: security@apache.org (Primary)
  • The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
    Assigned by: security@apache.org (Primary)
  • The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
    Assigned by: nvd@nist.gov (Secondary)

References for CVE-2021-44228

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!