CVE-2021-44228 - Deserialization of Untrusted Data

Severity

99%

Complexity

39%

Confidentiality

100%

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS 3.1 Base Score 9.9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS 2.0 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Deserialization of Untrusted Data

CWE-502

This code snippet deserializes an object from a file and uses it as a UI button:


               
}
in.close();

This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed.

To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is:


               
throw new java.io.IOException("Cannot be deserialized"); }

Deserialization of Untrusted Data

CWE-502

In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [R.502.7], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.


               
}

                     
raise AuthFail

Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh.

Overview

First reported 3 years ago

2021-12-10 10:15:00

Last updated 3 years ago

2021-12-28 19:32:00

Affected Software

Apache Software Foundation Log4j 2.0

2.0

Apache Software Foundation Log4j 2.0 Beta9

2.0

Apache Software Foundation Log4j 2.0 Release Candidate 1

2.0

Apache Software Foundation Log4j 2.0 Release Candidate 2

2.0

Siemens Logo! Soft Comfort

Siemens Spectrum Power 4

Debian Linux 9.0

9.0

NetApp Active IQ Unified Manager for VMware vSphere

vmware_vsphere

NetApp Active IQ Unified Manager for Windows

windows

Netapp Cloud Insights

Cisco Data Center Network Manager (DCNM) 11.3(1)

11.3\(1\)

Cisco Emergency Responder

Cisco Finesse

Cisco Identity Services Engine (ISE)

Cisco Identity Services Engine 2.4.0

2.4.0

Cisco Packaged Contact Center Enterprise 11.6(1)

11.6\(1\)

Cisco Prime Service Catalog

Cisco Unified Communications Manager 11.5(1)su3

11.5\(1\)su3

Cisco Unified Contact Center Enterprise

Cisco Unified Contact Center Enterprise 11.6(2)

11.6\(2\)

Cisco Unity Connection Software

Cisco Video Surveillance Operations Manager

Cisco WebEx Meetings Server

Cisco Webex Meetings Server 3.0 Maintenance Release 2

3.0

Cisco Webex Meetings Server 3.0 Maintenance Release 3

3.0

Cisco Webex Meetings Server 4.0

4.0

Cisco Webex Meetings Server 4.0 Maintenance Release 1

4.0

Cisco Webex Meetings Server 4.0 Maintenance Release 2

4.0

Cisco Unified Intelligence Center

Cisco Firepower Threat Defense 6.2.3

6.2.3

Cisco Firepower Threat Defense (FTD) 6.3.0

6.3.0

Cisco Firepower Threat Defense (FTD) 6.4.0

6.4.0

Cisco Firepower Threat Defense (FTD) 6.5.0

6.5.0

Cisco Firepower Threat Defense 6.6.0

6.6.0

Cisco Prime Service Catalog 12.1

12.1

Cisco Unified Contact Center Enterprise 12.0(1)

12.0\(1\)

Cisco Unified Contact Center Enterprise 12.5(1)

12.5\(1\)

Cisco Unity Connection 11.5

11.5

Cisco WebEx Meetings Server 3.0

3.0

References

https://logging.apache.org/log4j/2.x/security.html

[oss-security] 20211210 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

https://security.netapp.com/advisory/ntap-20211210-0007/

20211210 Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021

[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

https://logging.apache.org/log4j/2.x/security.html

Release Notes, Vendor Advisory

[oss-security] 20211210 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Mailing List, Mitigation, Third Party Advisory

[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Mailing List, Mitigation, Third Party Advisory

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

Third Party Advisory, VDB Entry

https://security.netapp.com/advisory/ntap-20211210-0007/

Vendor Advisory

20211210 Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021

Third Party Advisory

[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Mailing List, Third Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

Third Party Advisory

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

Third Party Advisory

FEDORA-2021-f0f501d01f

[oss-security] 20211213 CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

[oss-security] 20211213 Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

https://twitter.com/kurtseifried/status/1469345530182455296

[debian-lts-announce] 20211212 [SECURITY] [DLA 2842-1] apache-log4j2 security update

DSA-5020

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html

[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

VU#930724

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html

[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

FEDORA-2021-f0f501d01f

Third Party Advisory

[oss-security] 20211213 CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Mailing List, Third Party Advisory

[oss-security] 20211213 Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Mailing List, Third Party Advisory

https://twitter.com/kurtseifried/status/1469345530182455296

Exploit, Third Party Advisory

[debian-lts-announce] 20211212 [SECURITY] [DLA 2842-1] apache-log4j2 security update

Mailing List, Third Party Advisory

DSA-5020

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

Third Party Advisory

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html

Exploit, Third Party Advisory, VDB Entry

[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Mailing List, Third Party Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

Third Party Advisory

VU#930724

Third Party Advisory, US Government Resource

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html

Third Party Advisory, VDB Entry

[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Mailing List, Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf

Third Party Advisory

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Mitigation, Third Party Advisory

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Third Party Advisory

MISC

Third Party Advisory

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.