严重 Apache Log4j 远程代码执行漏洞(CVE-2021-44228)

CVE编号

CVE-2021-44228

利用情况

漏洞武器化

补丁情况

官方补丁

披露时间

2021-12-10
该漏洞已被黑客武器化,用于大规模蠕虫传播、勒索挖矿,建议您立即关注并修复。
漏洞描述

Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。

Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://logging.apache.org/log4j/2.x/security.html
参考链接
http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-...
http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-...
http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-...
http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-...
http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthentic...
http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthe...
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cro...
http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Comma...
http://seclists.org/fulldisclosure/2022/Dec/2
http://seclists.org/fulldisclosure/2022/Jul/11
http://seclists.org/fulldisclosure/2022/Mar/23
http://www.openwall.com/lists/oss-security/2021/12/10/1
http://www.openwall.com/lists/oss-security/2021/12/10/2
http://www.openwall.com/lists/oss-security/2021/12/10/3
http://www.openwall.com/lists/oss-security/2021/12/13/1
http://www.openwall.com/lists/oss-security/2021/12/13/2
http://www.openwall.com/lists/oss-security/2021/12/14/4
http://www.openwall.com/lists/oss-security/2021/12/15/3
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
https://github.com/cisagov/log4j-affected-db
https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://logging.apache.org/log4j/2.x/security.html
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.netapp.com/advisory/ntap-20211210-0007/
https://support.apple.com/kb/HT213189
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...
https://twitter.com/kurtseifried/status/1469345530182455296
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
https://www.debian.org/security/2021/dsa-5020
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
https://www.kb.cert.org/vuls/id/930724
https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 amazon_2 apache-log4j2 * Up to
(excluding)
2.0.4-1.amzn2
运行在以下环境
系统 amazon_2022 log4j * Up to
(excluding)
2.17.2-1.amzn2022.0.3
运行在以下环境
系统 amazon_AMI apache-log4j2 * Up to
(excluding)
1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.78.amzn1
运行在以下环境
系统 debian_10 apache-log4j2 * Up to
(excluding)
2.15.0-1~deb10u1
运行在以下环境
系统 debian_11 apache-log4j2 * Up to
(excluding)
2.15.0-1~deb11u1
运行在以下环境
系统 debian_12 apache-log4j2 * Up to
(including)
2.13.3-1
运行在以下环境
系统 debian_9 apache-log4j2 * Up to
(excluding)
2.7-2+deb9u1
运行在以下环境
系统 debian_sid apache-log4j2 * Up to
(including)
2.13.3-1
运行在以下环境
系统 fedora_34 apache-log4j2 * Up to
(excluding)
2.1.1-4.fc34
运行在以下环境
系统 fedora_35 apache-log4j2 * Up to
(excluding)
2.15.0-1.fc35
运行在以下环境
系统 opensuse_Leap_15.2 apache-log4j2 * Up to
(excluding)
2.13.0-lp152.3.3.1
运行在以下环境
系统 opensuse_Leap_15.3 apache-log4j2 * Up to
(excluding)
2.13.0-4.3.1
运行在以下环境
系统 ubuntu_16.04 apache-log4j2 * Up to
(excluding)
2.4-2ubuntu0.1~esm1
运行在以下环境
系统 ubuntu_18.04 apache-log4j2 * Up to
(excluding)
2.10.0-2ubuntu0.1
运行在以下环境
系统 ubuntu_20.04 apache-log4j2 * Up to
(excluding)
2.15.0-0.20.04.1
运行在以下环境
系统 ubuntu_21.04 apache-log4j2 * Up to
(excluding)
2.15.0-0.21.04.1
运行在以下环境
系统 ubuntu_21.10 apache-log4j2 * Up to
(excluding)
2.15.0-0.21.10.1
阿里云评分
9.3
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    漏洞武器化
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    传输被破坏
  • 服务器危害
    服务器失陷
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-20 输入验证不恰当
CWE-400 未加控制的资源消耗(资源穷尽)
CWE-502 可信数据的反序列化
CWE-917 表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)
阿里云安全产品覆盖情况