2024-05-25 21:48:12 +02:00
### [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)
& color=brighgreen)
### Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
### POC
#### Reference
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
#### Github
- https://github.com/0xsyr0/Log4Shell
- https://github.com/1lann/log4shelldetect
- https://github.com/2lambda123/og4j-scan
- https://github.com/4ra1n/4ra1n
- https://github.com/ADP-Dynatrace/dt-appsec-powerup
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Afrouper/MavenDependencyCVE-Scanner
- https://github.com/Ananya-0306/Log-4j-scanner
- https://github.com/Anonymous-Phunter/PHunter
- https://github.com/Aschen/log4j-patched
- https://github.com/Awisefew/Lof4j
- https://github.com/BobTheShoplifter/CVE-2021-45046-Info
- https://github.com/BuildScale/log4j.scan
- https://github.com/CERTCC/CVE-2021-44228_scanner
- https://github.com/CGCL-codes/PHunter
- https://github.com/CUBETIQ/cubetiq-security-advisors
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/CaptanMoss/Log4Shell-Sandbox-Signature
- https://github.com/Contrast-Security-OSS/safelog4j
- https://github.com/CptOfEvilMinions/ChooseYourSIEMAdventure
- https://github.com/Cyb3rWard0g/log4jshell-lab
- https://github.com/Cybereason/Logout4Shell
- https://github.com/DANSI/PowerShell-Log4J-Scanner
- https://github.com/DXC-StrikeForce/Burp-Log4j-HammerTime
- https://github.com/DevGHI/jmeter-docker
- https://github.com/Diablo5G/Certification-Prep
- https://github.com/Dikens88/hopp
- https://github.com/Diverto/nse-log4shell
- https://github.com/EMSeek/log4poc
- https://github.com/GameProfOrg/Jpg-Png-Exploit-Downloader-Fud-Cryter-Malware-Builder-Cve-2022
- https://github.com/GameProfOrg/Slient-Doc-Pdf-Exploit-Builder-Fud-Malware-Cve
- https://github.com/GhostTroops/TOP
- https://github.com/GluuFederation/Log4J
- https://github.com/HackJava/HackLog4j2
- https://github.com/HackJava/Log4j2
- https://github.com/HynekPetrak/log4shell-finder
- https://github.com/ITninja04/awesome-stars
- https://github.com/JERRY123S/all-poc
- https://github.com/LoliKingdom/NukeJndiLookupFromLog4j
- https://github.com/MLX15/log4j-scan
- https://github.com/Maelstromage/Log4jSherlock
- https://github.com/Mattrobby/Log4J-Demo
- https://github.com/NCSC-NL/log4shell
- https://github.com/NUMde/compass-num-conformance-checker
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/NelsonKling/opencensus-java
- https://github.com/NiftyBank/java-app
- https://github.com/NorthShad0w/FINAL
- https://github.com/OSCKOREA-WORKSHOP/NEXUS-Firewall
- https://github.com/OWASP/www-project-ide-vulscanner
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/Pluralsight-SORCERI/log4j-resources
- https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
- https://github.com/PushpenderIndia/Log4jScanner
- https://github.com/Qerim-iseni09/ByeLog4Shell
- https://github.com/Qualys/log4jscanwin
- https://github.com/Ratlesv/Log4j-SCAN
- https://github.com/Rk-000/Log4j_scan_Advance
- https://github.com/Ryan2065/Log4ShellDetection
- https://github.com/SYRTI/POC_to_review
- https://github.com/Sandynaidu/log4j2_logger
- https://github.com/Secxt/FINAL
- https://github.com/SindhuDemo/PerfTestDemo
- https://github.com/Staubgeborener/stars
- https://github.com/Stiloco/LOG4
- https://github.com/SushmaPerfTest/docker-PerformanceTest
- https://github.com/TheInterception/Log4J-Simulation-Tool
- https://github.com/Tim1995/FINAL
- https://github.com/VMsec/log4jScan_Modify
- https://github.com/VerveIndustrialProtection/CVE-2021-44228-Log4j
- https://github.com/Vr00mm/log4j-article
- https://github.com/Whoaa512/starred
- https://github.com/WhooAmii/POC_to_review
- https://github.com/X1pe0/Log4J-Scan-Win
- https://github.com/Y0-kan/Log4jShell-Scan
- https://github.com/YoungBear/log4j2demo
- https://github.com/adelarsq/awesome-bugs
- https://github.com/ajread4/cve_pull
- https://github.com/alexbakker/log4shell-tools
- https://github.com/allegroai/clearml-server
- https://github.com/alphatron-employee/product-overview
- https://github.com/andalik/log4j-filescan
- https://github.com/apache/solr-docker
- https://github.com/avwolferen/Sitecore.Solr-log4j-mitigation
- https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
- https://github.com/aymankhder/og4j-scanner
- https://github.com/back2root/log4shell-rex
- https://github.com/bashofmann/hacking-kubernetes
- https://github.com/benmurphyy/log4shell
- https://github.com/binkley/modern-java-practices
- https://github.com/bmw-inc/log4shell
- https://github.com/brechtsanders/find_log4j
- https://github.com/cckuailong/Log4j_CVE-2021-45046
- https://github.com/census-instrumentation/opencensus-java
- https://github.com/chenghungpan/test_data
- https://github.com/christian-taillon/log4shell-hunting
- https://github.com/cisagov/log4j-scanner
- https://github.com/codebling/wso2-docker-patches
- https://github.com/corretto/hotpatch-for-apache-log4j2
- https://github.com/cowbe0x004/cowbe0x004
- https://github.com/cyb3rpeace/log4j-scan
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/darkarnium/Log4j-CVE-Detect
- https://github.com/davejwilson/azure-spark-pools-log4j
- https://github.com/dbzoo/log4j_scanner
- https://github.com/demining/Log4j-Vulnerability
- https://github.com/demonrvm/Log4ShellRemediation
- https://github.com/dhanugupta/log4j-vuln-demo
- https://github.com/dileepdkumar/https-github.com-NCSC-NL-log4shell
- https://github.com/dileepdkumar/https-github.com-cisagov-log4j-affected-dbv2
- https://github.com/dileepdkumar/https-github.com-mergebase-log4j-samples
- https://github.com/dinlaks/RunTime-Vulnerability-Prevention---RHACS-Demo
- https://github.com/dkd/elasticsearch
- https://github.com/docker-solr/docker-solr
- https://github.com/doris0213/assignments
- https://github.com/dtact/divd-2021-00038--log4j-scanner
- https://github.com/edsonjt81/log4-scanner
- https://github.com/edsonjt81/log4j-scan
- https://github.com/edsonjt81/nse-log4shell
- https://github.com/elicha023948/44228
- https://github.com/eliezio/log4j-test
- https://github.com/eventsentry/scripts
- https://github.com/flux10n/log4j
- https://github.com/forcedotcom/Analytics-Cloud-Dataset-Utils
- https://github.com/forcedotcom/CRMA-dataset-creator
- https://github.com/fox-it/log4j-finder
- https://github.com/frontal1660/DSLF
- https://github.com/fullhunt/log4j-scan
- https://github.com/gitlab-de/log4j-resources
- https://github.com/gjrocks/TestLog4j
- https://github.com/google/security-research
- https://github.com/govgitty/log4shell-
2024-05-26 16:36:09 +00:00
- https://github.com/grvuolo/wsa-spgi-lab
2024-05-25 21:48:12 +02:00
- https://github.com/gumimin/dependency-check-sample
- https://github.com/hari-mutyala/HK-JmeterDocker
- https://github.com/hari-mutyala/jmeter-api-perf
- https://github.com/hari-mutyala/jmeter-ui-perf
- https://github.com/helsecert/CVE-2021-44228
- https://github.com/hillu/local-log4j-vuln-scanner
- https://github.com/hktalent/TOP
- https://github.com/hozyx/log4shell
- https://github.com/hupe1980/scan4log4shell
- https://github.com/husnain-ce/Log4j-Scan
- https://github.com/hypertrace/hypertrace
- https://github.com/imTigger/webapp-hardware-bridge
- https://github.com/immunityinc/Log4j-JNDIServer
- https://github.com/infiniroot/nginx-mitigate-log4shell
- https://github.com/insignit/cve-informatie
- https://github.com/integralads/dependency-deep-scan-utilities
- https://github.com/jacobalberty/unifi-docker
- https://github.com/jbmihoub/all-poc
- https://github.com/jfrog/jfrog-cli-plugins-reg
- https://github.com/jfrog/log4j-tools
- https://github.com/jnyilas/log4j-finder
- https://github.com/juancarlosme/java1
- https://github.com/justb4/docker-jmeter
- https://github.com/k3rwin/log4j2-intranet-scan
- https://github.com/kdecho/Log4J-Scanner
- https://github.com/kdpuvvadi/Omada-Ansible
- https://github.com/kdpuvvadi/omada-ansible
- https://github.com/khulnasoft-lab/awesome-security
- https://github.com/khulnasoft-labs/awesome-security
- https://github.com/kpostreich/WAS-Automation-CVE
- https://github.com/krah034/oss-vulnerability-check-demo
- https://github.com/layou233/Tritium-backup
- https://github.com/leoCottret/l4shunter
- https://github.com/lgtux/find_log4j
- https://github.com/lhotari/Log4Shell-mitigation-Dockerfile-overlay
- https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228
- https://github.com/lijiejie/log4j2_vul_local_scanner
- https://github.com/log4jcodes/log4j.scan
- https://github.com/logpresso/CVE-2021-44228-Scanner
- https://github.com/ludy-dev/cve-2021-45046
- https://github.com/lukepasek/log4jjndilookupremove
- https://github.com/lwollan/log4j-exploit-server
- https://github.com/mad1c/log4jchecker
- https://github.com/manishkanyal/log4j-scanner
- https://github.com/martinlau/dependency-check-issue
- https://github.com/mergebase/csv-compare
- https://github.com/mergebase/log4j-detector
- https://github.com/mergebase/log4j-samples
- https://github.com/mitiga/log4shell-everything
- https://github.com/mkbyme/docker-jmeter
- https://github.com/nagten/JndiLookupRemoval
- https://github.com/newrelic-experimental/nr-find-log4j
- https://github.com/nlmaca/Wowza_Installers
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/open-source-agenda/new-open-source-projects
- https://github.com/optionalg/ByeLog4Shell
- https://github.com/ossie-git/log4shell_sentinel
- https://github.com/ouarriorxx/log4j_test
- https://github.com/palantir/log4j-sniffer
- https://github.com/papicella/cli-snyk-getting-started
- https://github.com/papicella/conftest-snyk-demos
- https://github.com/paras98/Log4Shell
- https://github.com/pentesterland/Log4Shell
- https://github.com/perfqapm/docker-jmeter
- https://github.com/phax/ph-oton
- https://github.com/phax/phase4
- https://github.com/phax/phoss-directory
- https://github.com/phiroict/pub_log4j2_fix
- https://github.com/pmontesd/Log4PowerShell
- https://github.com/pratik-dey/DockerPOCPerf
- https://github.com/pravin-pp/log4j2-CVE-2021-45046
- https://github.com/r00thunter/Log4Shell
- https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator
- https://github.com/radiusmethod/awesome-gists
- https://github.com/retr0-13/log4j-bypass-words
- https://github.com/retr0-13/log4j-scan
- https://github.com/retr0-13/log4shell
- https://github.com/retr0-13/nse-log4shell
- https://github.com/rgl/log4j-log4shell-playground
- https://github.com/righettod/log4shell-analysis
- https://github.com/rohankumardubey/CVE-2021-44228_scanner
- https://github.com/rohankumardubey/hotpatch-for-apache-log4j2
- https://github.com/rtkwlf/wolf-tools
- https://github.com/samokat-oss/pisc
- https://github.com/scordero1234/java_sec_demo-main
- https://github.com/sdogancesur/log4j_github_repository
- https://github.com/seculayer/Log4j-Vulnerability
- https://github.com/shannonmullins/hopp
- https://github.com/sonicgdm/loadtests-jmeter
- https://github.com/soosmile/POC
- https://github.com/sourcegraph/log4j-cve-code-search-resources
- https://github.com/srhercules/log4j_mass_scanner
- https://github.com/sschakraborty/SecurityPOC
- https://github.com/suky57/logj4-cvi-fix-unix
- https://github.com/taielab/awesome-hacking-lists
- https://github.com/taise-hub/log4j-poc
- https://github.com/tarja1/log4shell_fix
- https://github.com/tasooshi/horrors-log4shell
- https://github.com/tcoliver/IBM-SPSS-log4j-fixes
- https://github.com/tejas-nagchandi/CVE-2021-45046
- https://github.com/thecloudtechin/jmeter-jenkins
- https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
- https://github.com/thl-cmk/CVE-log4j-check_mk-plugin
- https://github.com/thongtran89/docker_jmeter
- https://github.com/tmax-cloud/install-EFK
- https://github.com/trhacknon/CVE-2021-44228-Scanner
- https://github.com/trhacknon/Pocingit
- https://github.com/trhacknon/log4shell-finder
- https://github.com/trickyearlobe/inspec-log4j
- https://github.com/trickyearlobe/patch_log4j
- https://github.com/triw0lf/Security-Matters-22
- https://github.com/viktorbezdek/awesome-github-projects
- https://github.com/voditelnloo/jmeterjustb4
- https://github.com/w4kery/Respond-ZeroDay
- https://github.com/wanniDev/OEmbeded
- https://github.com/warriordog/little-log-scan
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/wh1tenoise/log4j-scanner
- https://github.com/whalehub/awesome-stars
- https://github.com/whitesource-ps/ws-bulk-report-generator
- https://github.com/whitesource/log4j-detect-distribution
- https://github.com/whitfieldsdad/cisa_kev
- https://github.com/wortell/log4j
- https://github.com/xsultan/log4jshield
- https://github.com/yahoo/check-log4j
- https://github.com/yannart/log4shell-scanner-rs
- https://github.com/yycunhua/4ra1n
- https://github.com/zaneef/CVE-2021-44228
- https://github.com/zecool/cve
- https://github.com/zeroonesa/ctf_log4jshell
- https://github.com/zhzyker/logmap
- https://github.com/zisigui123123s/FINAL
