This is a public repository from Wortell containing information, links, files and other items related to CVE-2021-44228.
Due to vulnerabilities in log4j 2.16.0 it is now recommended to patch to version 2.17.0
Here are a few options to try and find applications that use Log4j and could potentially be abused:
- BURP Pro add-in: https://gist.github.com/kugg/0d08b6548db249eaffaca1799e0d01d6
- File scanner (obv Powershell, for Windows): https://gist.github.com/Skons/0b9bbfbbf37d2707ccf83f3d549a6588
- File Scanner (obv Go, all platforms) https://github.com/dtact/divd-2021-00038--log4j-scanner (Will also disable JNDI, when found!)
- Vulnerable test app: https://github.com/kugg/log4shellverify
- Web/URL scanner: https://github.com/zerobs-rvn/hrafna
- Web/URL scanner: https://github.com/fullhunt/log4j-scan
- Shodan: https://www.shodan.io/search?query=has_vuln%3ACVE2021-44228
- Tenable plugins: https://www.tenable.com/plugins/search?q=cves%3A%28%22CVE-2021-44228%22%29&sort=&page=1
- Lunasec Scanner: https://github.com/lunasec-io/lunasec/releases/tag/v1.0.0-log4shell
- Log Scanner (It checks local log files for indicators of exploitation attempts) https://github.com/Neo23x0/log4shell-detector
- Detects log4j versions on your file-system, including deeply recursively nested copies (jars inside jars inside jars). Works on Linux, Windows, and Mac, and everywhere else Java runs, too! https://github.com/mergebase/log4j-detector
- Ansible-based scanner https://github.com/robertdebock/ansible-role-cve_2021_44228
- NCC Group Indicators of compromise https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/
- Nested Log4J exploit strings https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
- Microsoft's Threat Intelligence Center IOC feed https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
- Crowdsec IOC list https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166
- (dutch) NCSC list of vulnerable applications: https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md
- Lunasec (Guide to detect and mitigate Log4Shell) https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
- Govcert.ch Zero Day Exployst targeting popular Java Library Log4j https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
- Dutch NCSC guidance: https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen
- Dutch NCSC advisory: https://www.ncsc.nl/actueel/advisory?id=NCSC-2021-1052
- Log4Shell: the defender’s worst nightmare? https://www.sekoia.io/en/log4shell-the-defenders-worst-nightmare/
- Microsoft: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
- How to detect Log4j with MS Endpoint Manager (Alex Verboon) https://www.verboon.info/2021/12/how-to-detect-the-log4shell-vulnerability-cve-2021-44228-with-microsoft-endpoint-configuration-manager/
- Attackers now shifting from LDAP to RMI https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
- Conti Becomes The First Sophisticated Crimeware Group Weaponizing Log4j2 https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
-
VX-underground is maintaining a library of samples from malware families that have been seen abusing the log4j cve: https://samples.vx-underground.org/samples/Families/Log4J%20Malware/
-
Samples of log4j library versions to help validate log4j scanners / detectors: https://github.com/mergebase/log4j-samples/
-
Microsoft Sentinel provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing and learning more about the vulnerability: https://github.com/Cyb3rWard0g/log4jshell-lab
- Apache LOG4J version 2.17.0 https://logging.apache.org/log4j/2.x/download.html
! IMPORTANT ! Exploits are continously developed. Aways make sure to work with the latest version of scanners. It is verified that scanners used below take into account that version 2.17.0 of log4j is recommended.
-
Identify potential vulnerable devices by using https://github.com/NCSC-NL/log4shell/blob/main/software/README.md - This a time consuming task, but you need to do it anyway, so better start quickly!
-
Run a scan to check for vulnerable java applications/dependancies using: https://github.com/mergebase/log4j-detector with command
java log4j-detector-2021.12.14.jar c:/and watch for files that have been classified as vulnerable.
Depending on the version of the Log4J library found, the following classifications will be done:
| Version | Classification |
|---|---|
| 2.12.2 | Safe |
| 2.17.0 | Safe |
| 2.16.0 | Okay |
| 2.15.0 | Okay |
| < 2.15.0 | Vulnerable |
- Run a scan to check for expoit attempts using https://github.com/Neo23x0/log4shell-detector
python3 log4shell-detector.py -p c:\and wath for exploitation attempts.
Here are Wortell specialists blogging about LOG4J:
- Jeffrey Appel: Microsoft Defender https://jeffreyappel.nl/microsoft-defender-for-endpoint-log4j/
- Jeroen Niesen: reverse engineering https://www.wortell.nl/en/blogs/cve-2021-44228-log4shell
