Exploit for #VU58816 Code Injection in Apache Log4j

Vulnerability identifier: #VU58816

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2021-44228

CWE-ID: CWE-94

Exploitation vector: Network

Exploits in database: 49

• October 25, 2024
  • AD Manager Plus 7122 - Remote Code Execution (RCE) [Exploit-DB]
• May 7, 2023
  • log4j-exploit-fork-bomb (??? Proof of Concept: пример запуска fork-бомбы на удаленном сервере благодаря уязвимости CVE-2021-44228) [Github]
• March 4, 2023
  • Log4j_Vulnerability_Demo (A simple program to demonstrate how Log4j vulnerability can be exploited ( CVE-2021-44228 ) ) [Github]
• November 13, 2022
  • log4j-payload-generator (log4j-paylaod generator : A generic payload generator for Apache log4j RCE CVE-2021-44228) [Github]
• September 26, 2022
  • StudyRoom ( Repository created for study and POC's on vulnerabilities.) [Github]
• September 7, 2022
  • gosploitoy (A simple golang tool to search for exploit-db cve's) [Github]
• September 1, 2022
  • CVE-2021-44228 (PoC for CVE-2021-44228.) [Github]
• August 5, 2022
  • log4shell-rmi-poc (A Proof of Concept of the Log4j vulnerabilities (CVE-2021-44228) over Java-RMI) [Github]
• August 2, 2022
  • MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) [Metasploit]
• July 26, 2022
  • cve-maker (Tool to find CVEs and Exploits.) [Github]
• July 6, 2022
  • CVEsLab (? A collection of proof-of-concept exploit scripts on docker lab environments has been discovered by Securi Trust Team. Vulnerabilities has been written by SecuriTrust team for various CVEs.) [Github]
• June 30, 2022
  • log4j-exploit-builder (Script to create a log4j (CVE-2021-44228) exploit with support for different methods of getting a reverse shell) [Github]
• June 9, 2022
  • log4j-shell-csw (A Proof-Of-Concept Exploit for CVE-2021-44228 vulnerability.) [Github]
• June 1, 2022
  • log4j-exploit-builder (Script to create a log4j (CVE-2021-44228) exploit with support for different methods of getting a reverse shell) [Github]
• May 13, 2022
  • Apache Log4j2 2.14.1 - Information Disclosure [Exploit-DB]
  • Apache Log4j 2 - Remote Code Execution (RCE) [Exploit-DB]
• March 14, 2022
  • log4j-dork-scanner (A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks) [Github]
• February 1, 2022
  • apache-tomcat-log4j (Log4j2 CVE-2021-44228 Vulnerability POC in Apache Tomcat) [Github]
• January 21, 2022
  • UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell) [Metasploit]
• January 20, 2022
  • VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) [Metasploit]
• January 12, 2022
  • Log4Shell HTTP Header Injection [Metasploit]
• January 10, 2022
  • Log4jHorizon (Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.) [Github]
• December 16, 2021
  • Log4Shell HTTP Scanner [Metasploit]
• December 15, 2021
  • Log4j_CVE-2021-45046 (Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046) [Github]
• December 13, 2021
  • Log4j-RCE (Log4j RCE - (CVE-2021-44228)) [Github]
  • CVE_2021_44228_Check (Check if Java allows JNDI remote code exec by default) [Github]
  • exploit-CVE-2021-44228 (This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228).) [Github]
  • vcenter-log4j (Script to apply official workaround for VMware vCenter log4j vulnerability CVE-2021-44228) [Github]
  • Log4J-Scanner (Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth.) [Github]
  • log4j-jndi-be-gone (A Byte Buddy Java agent-based fix for CVE-2021-44228, the log4j 2.x "JNDI LDAP" vulnerability.) [Github]
  • log4j-scan (A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228 ) [Github]
  • nse-log4shell (Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228)) [Github]
• December 12, 2021
  • CVE-2021-44228_Example () [Github]
  • log4j_CVE-2021-44228_tester (Test for log4j vulnerability across your external footprint) [Github]
  • sample-ldap-exploit (A short demo of CVE-2021-44228) [Github]
  • cve-2021-44228-minecraft-poc (Log4J CVE-2021-44228 Minecraft PoC) [Github]
  • log4j2burpscanner (CVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks) [Github]
  • log4j-poc (CVE-2021-44228 test demo) [Github]
  • log4j-shell-poc (A Proof-Of-Concept for the CVE-2021-44228 vulnerability. ) [Github]
  • CVE-2021-44228-example (vulnerability POC) [Github]
  • python-log4rce (An All-In-One Pure Python PoC for CVE-2021-44228) [Github]
  • CVE-2021-44228 (Abuse Log4J CVE-2021-44228 to patch CVE-2021-44228 in vulnerable Minecraft game sessions to prevent exploitation in the session :) ) [Github]
  • hotpatch-for-apache-log4j2 (An agent to hotpatch the log4j RCE from CVE-2021-44228.) [Github]
  • log4shell-vulnerable-app (Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).) [Github]
  • CVE-2021-44228-Scanner (Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228) [Github]
  • CVE-2021-44228-PoC-log4j-bypass-words (?‍? ✂️ ? CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks) [Github]
  • CVE-2021-44228-Apache-Log4j-Rce (Apache Log4j 远程代码执行) [Github]
• December 10, 2021
  • CVE-2021-44228 (Apache Log4j 2 a remote code execution vulnerability via the ldap JNDI parser.) [Github]
  • Log4J-RCE-Proof-Of-Concept (Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information) [Github]

Vulnerable software:
Apache Log4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation