Log4Shell (CVE-2021-44228)
Reference
Plugin Id: 40043 | CWE: 117
Remediation
The Log4Shell vulnerability can be fixed by upgrading the Log4j2 library to version 2.17.0 or higher. If the library has already been upgraded, then the JNDI lookup feature may have been enabled by setting the log4j2.enableJndiLookup=true
as a system property. Removing this setting will configure up-to-date versions correctly. Ultimately, this is an input sanitization issue. Never trust user-supplied input.
About
Apache Log4j2 version 2.14.1 and earlier versions have a vulnerability (CVE-2021-44228) related to the usage of JNDI features in configuration, log messages, and parameters. This vulnerability allows an attacker to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled and the attacker can control log messages or log message parameters. However, starting from log4j version 2.15.0, this behavior has been disabled by default.
Risks
Exploiting the Log4Shell vulnerability can lead to serious risks for the affected application server. An attacker can leverage this vulnerability to download and run malware on the server. The potential impact includes the installation of remote access tools, bitcoin miners, crypto lockers, minecraft servers, and other malicious software.
Resources
https://www.stackhawk.com/blog/log4shell-issue-overview-and-stackhawk-response-to-log4j-remote-code/
https://logging.apache.org/log4j/2.x/