Log4Shell CVE-2021-44228
Description
Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Endpoint_Processes, Network_Traffic, Risk, Web
- Last Updated: 2021-12-11
- Author: Jose Hernandez
- ID: b4453928-5a98-11ec-afcd-8de10b48fc52
Narrative
In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called “A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land”. Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.
Detections
Reference
- https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
- https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
- https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
source | version: 1