PCI v3.2-6.5.1
CAPEC-23
CWE-502
HIPAA-164.306(a), 164.308(a)
ISO27001-A.14.2.5
OWASP 2013-A1
OWASP 2017-A1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Out of Band Code Evaluation (Log4j)

Severity:
Critical
Summary

Invicti detected that the application is vulnerable to the Log4j (version 2) remote code execution vulnerability (CVE-2021-44228) by capturing a DNS A request, which occurs when input data is interpreted by the vulnerable log4j library.

This is a highly critical issue and should be addressed as soon as possible.

Apache Log4j is an open source logging library used widely in the Java ecosystem. It features enhanced logging capability with JNDI and system property lookups. Improper input sanitization can cause JNDI lookups to load arbitrary Java classes from remote servers and can lead to remote code executions, sensitive information leakage and denial of service.

Three main CVE’s are published in regard to this vulnerability:

CVE-2021-44228: In Apache Log4j2, the JNDI features used in configuration, log messages and parameters do not protect against code being loaded from attacker controlled LDAP servers and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.

CVE-2021-45046: It was found that the fix Apache implemented in version 2.15.0 was incomplete in certain non-default configurations resulting in information leak, remote code execution and denial of service.

CVE-2021-45104: It was found that Apache Log4j versions through 2.16.0 did not prevent uncontrolled recursion from self-referential lookups.

Impact
  • An attacker can run arbitrary code on the server by loading arbitrary Java classes via JNDI lookup.
  • An attacker can leak sensitive information such as hostname or environment variables from a vulnerable server.
  • An attacker can cause denial of service on the vulnerable server.
Remediation

Apache has published patches for this vulnerability. Due to incomplete patches 2.15.0 and 2.16.0, upgrading to 2.17.0 is recommended.

  • Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).

Alternatively, this infinite recursion issue can be mitigated in configuration:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.