Back to KEVs

CVE-2021-44228

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Basic Information

CVE State
PUBLISHED
Reserved Date
November 26, 2021
Published Date
December 10, 2021
Last Updated
February 04, 2025
Vendor
Apache Software Foundation
Product
Apache Log4j2
Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS Scores

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2021-12-10 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-11-08 15:29:42 UTC) Source
Used in Malware
Yes (added 2021-12-10 00:00:00 UTC) Source

References

https://logging.apache.org/log4j/2.x/security.html http://www.openwall.com/lists/oss-security/2021/12/10/1 http://www.openwall.com/lists/oss-security/2021/12/10/2 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd http://www.openwall.com/lists/oss-security/2021/12/10/3 https://security.netapp.com/advisory/ntap-20211210-0007/ http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 https://www.oracle.com/security-alerts/alert-cve-2021-44228.html https://www.debian.org/security/2021/dsa-5020 https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ http://www.openwall.com/lists/oss-security/2021/12/13/2 http://www.openwall.com/lists/oss-security/2021/12/13/1 http://www.openwall.com/lists/oss-security/2021/12/14/4 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd https://www.kb.cert.org/vuls/id/930724 https://twitter.com/kurtseifried/status/1469345530182455296 https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd http://www.openwall.com/lists/oss-security/2021/12/15/3 http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf https://www.oracle.com/security-alerts/cpujan2022.html http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2022/Mar/23 https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 https://github.com/cisagov/log4j-affected-db https://support.apple.com/kb/HT213189 https://www.oracle.com/security-alerts/cpuapr2022.html https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html http://seclists.org/fulldisclosure/2022/Jul/11 http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html http://seclists.org/fulldisclosure/2022/Dec/2 http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-12-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vmware_vcenter_log4shell.rb 2025-04-29 11:01:24 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-44228.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

vmware_vcenter_log4shell

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-44228

ubiquiti_unifi_log4shell

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-44228

log4shell_header_injection

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-44228

mobileiron_core_log4shell

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-44228

tadash10/Exploiting-CVE-2021-44228-Log4Shell-in-a-Banking-Environment

Type: github • Created: 2024-06-09 02:49:42 UTC • Stars: 2

Objective: Demonstrate the exploitation of the Log4Shell vulnerability (CVE-2021-44228) within a simulated banking application environment.

sec13b/CVE-2021-44228-POC

Type: github • Created: 2024-03-23 05:03:44 UTC • Stars: 1

exploit CVE-2021-44228

Tai-e/CVE-2021-44228

Type: github • Created: 2023-10-06 04:36:31 UTC • Stars: 9

Utilize Tai-e to identify the Log4shell (a.k.a. CVE-2021-44228) Vulnerability

srcporter/CVE-2021-44228

Type: github • Created: 2022-11-08 15:29:42 UTC • Stars: 1

DO NOT USE FOR ANYTHING REAL. Simple springboot sample app with vulnerability CVE-2021-44228 aka "Log4Shell"

hotpotcookie/CVE-2021-44228-white-box

Type: github • Created: 2022-02-12 11:19:41 UTC • Stars: 3

Log4j vulner testing environment based on CVE-2021-44228. It provide guidance to build the sample infrastructure and the exploit scripts. Supporting cooki3 script as the main exploit tools & integration

ColdFusionX/CVE-2021-44228-Log4Shell-POC

Type: github • Created: 2022-01-18 19:22:38 UTC • Stars: 2

POC for Infamous Log4j CVE-2021-44228

arnaudluti/PS-CVE-2021-44228

Type: github • Created: 2022-01-17 12:46:20 UTC • Stars: 0

Static detection of vulnerable log4j librairies on Windows servers, members of an AD domain.

maximofernandezriera/CVE-2021-44228

Type: github • Created: 2022-01-09 13:38:38 UTC • Stars: 5

This Log4j RCE exploit originated from https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

Vulnmachines/log4jshell_CVE-2021-44228

Type: github • Created: 2022-01-07 09:56:30 UTC • Stars: 2

Log4jshell - CVE-2021-44228

mr-r3b00t/CVE-2021-44228

Type: github • Created: 2022-01-05 11:27:16 UTC • Stars: 13

Backdoor detection for VMware view

marcourbano/CVE-2021-44228

Type: github • Created: 2021-12-24 19:26:36 UTC • Stars: 6

PoC for CVE-2021-44228.

TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit

Type: github • Created: 2021-12-23 01:59:03 UTC • Stars: 7

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

BabooPan/Log4Shell-CVE-2021-44228-Demo

Type: github • Created: 2021-12-22 03:34:40 UTC • Stars: 2

Log4Shell Demo with AWS

motikan2010/RASP-CVE-2021-44228

Type: github • Created: 2021-12-21 13:30:37 UTC • Stars: 2

Blog Sample Code

chandru-gunasekaran/log4j-fix-CVE-2021-44228

Type: github • Created: 2021-12-20 15:39:20 UTC • Stars: 2

Windows Batch Scrip to Fix the log4j-issue-CVE-2021-44228

nu11secur1ty/CVE-2021-44228-VULN-APP

Type: github • Created: 2021-12-17 18:45:19 UTC • Stars: 1

Fazmin/vCenter-Server-Workaround-Script-CVE-2021-44228

Type: github • Created: 2021-12-17 05:14:05 UTC • Stars: 2

Script - Workaround instructions to address CVE-2021-44228 in vCenter Server

Kr0ff/CVE-2021-44228

Type: github • Created: 2021-12-16 21:19:17 UTC • Stars: 4

Log4Shell Proof of Concept (CVE-2021-44228)

kannthu/CVE-2021-44228-Apache-Log4j-Rce

Type: github • Created: 2021-12-16 20:02:09 UTC • Stars: 0

shamo0/CVE-2021-44228

Type: github • Created: 2021-12-16 09:26:37 UTC • Stars: 4

log4shell (CVE-2021-44228) scanning tool

roxas-tan/CVE-2021-44228

Type: github • Created: 2021-12-16 08:46:55 UTC • Stars: 10

This Log4j RCE exploit originated from https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

VerveIndustrialProtection/CVE-2021-44228-Log4j

Type: github • Created: 2021-12-15 18:51:07 UTC • Stars: 1

kubearmor/log4j-CVE-2021-44228

Type: github • Created: 2021-12-15 10:55:35 UTC • Stars: 8

Apache Log4j Zero Day Vulnerability aka Log4Shell aka CVE-2021-44228

anuvindhs/how-to-check-patch-secure-log4j-CVE-2021-44228

Type: github • Created: 2021-12-15 07:51:28 UTC • Stars: 2

A one-stop repo/ information hub for all log4j vulnerability-related information.

CrackerCat/CVE-2021-44228-Log4j-Payloads

Type: github • Created: 2021-12-15 00:55:12 UTC • Stars: 3

CERTCC/CVE-2021-44228_scanner

Type: github • Created: 2021-12-14 23:33:51 UTC • Stars: 346

Scanners for Jar files that may be vulnerable to CVE-2021-44228

ab0x90/CVE-2021-44228_PoC

Type: github • Created: 2021-12-14 21:32:42 UTC • Stars: 16

dark-ninja10/Log4j-CVE-2021-44228

Type: github • Created: 2021-12-14 09:33:22 UTC • Stars: 0

On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string. Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short.

faisalfs10x/Log4j2-CVE-2021-44228-revshell

Type: github • Created: 2021-12-14 05:24:52 UTC • Stars: 18

Log4j2 CVE-2021-44228 revshell, ofc it suck!!

Contrast-Security-OSS/CVE-2021-44228

Type: github • Created: 2021-12-13 21:39:39 UTC • Stars: 0

Professional Service scripts to aid in the identification of affected Java applications in TeamServer

taurusxin/CVE-2021-44228

Type: github • Created: 2021-12-13 17:17:37 UTC • Stars: 2

kossatzd/log4j-CVE-2021-44228-test

Type: github • Created: 2021-12-13 15:11:15 UTC • Stars: 0

demo project to highlight how to execute the log4j (CVE-2021-44228) vulnerability

AlexandreHeroux/Fix-CVE-2021-44228

Type: github • Created: 2021-12-13 15:04:31 UTC • Stars: 6

Apply class remove process from ear/war/jar/zip archive, see https://logging.apache.org/log4j/2.x/

justakazh/Log4j-CVE-2021-44228

Type: github • Created: 2021-12-13 13:30:57 UTC • Stars: 5

Mass Check Vulnerable Log4j CVE-2021-44228

zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service

Type: github • Created: 2021-12-13 13:05:26 UTC • Stars: 13

kek-Sec/log4j-scanner-CVE-2021-44228

Type: github • Created: 2021-12-13 08:51:56 UTC • Stars: 2

Simple tool for scanning entire directories for attempts of CVE-2021-44228

ycdxsb/Log4Shell-CVE-2021-44228-ENV

Type: github • Created: 2021-12-13 08:43:45 UTC • Stars: 4

Log4Shell Docker Env

helsecert/CVE-2021-44228

Type: github • Created: 2021-12-13 07:48:49 UTC • Stars: 1

Log4J CVE-2021-44228 : Mitigation Cheat Sheet

fireeye/CVE-2021-44228

Type: github • Created: 2021-12-13 03:55:32 UTC • Stars: 37

OpenIOC rules to facilitate hunting for indicators of compromise

pedrohavay/exploit-CVE-2021-44228

Type: github • Created: 2021-12-13 02:18:57 UTC • Stars: 20

This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228).

sunnyvale-it/CVE-2021-44228-PoC

Type: github • Created: 2021-12-12 23:37:39 UTC • Stars: 8

CVE-2021-44228 (Log4Shell) Proof of Concept

corneacristian/Log4J-CVE-2021-44228-RCE

Type: github • Created: 2021-12-12 21:52:53 UTC • Stars: 3

Log4J (CVE-2021-44228) Exploit with Remote Command Execution (RCE)

guardicode/CVE-2021-44228_IoCs

Type: github • Created: 2021-12-12 14:27:28 UTC • Stars: 0

Known IoCs for log4j framework vulnerability

Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228

Type: github • Created: 2021-12-12 13:17:18 UTC • Stars: 15

IP addresses exploiting recent log4j2 vulnerability CVE-2021-44228

future-client/CVE-2021-44228

Type: github • Created: 2021-12-12 11:26:42 UTC • Stars: 67

Abuse Log4J CVE-2021-44228 to patch CVE-2021-44228 in vulnerable Minecraft game sessions to prevent exploitation in the session :)

sud0x00/log4j-CVE-2021-44228

Type: github • Created: 2021-12-12 10:22:45 UTC • Stars: 5

CVE-2021-44228

mzlogin/CVE-2021-44228-Demo

Type: github • Created: 2021-12-12 03:11:14 UTC • Stars: 2

Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP

RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs

Type: github • Created: 2021-12-12 02:59:54 UTC • Stars: 45

irgoncalves/f5-waf-enforce-sig-CVE-2021-44228

Type: github • Created: 2021-12-11 21:59:19 UTC • Stars: 7

This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs

Type: github • Created: 2021-12-11 14:54:45 UTC • Stars: 9

Public IoCs about log4j CVE-2021-44228

b-abderrahmane/CVE-2021-44228-playground

Type: github • Created: 2021-12-11 12:16:45 UTC • Stars: 2

vorburger/Log4j_CVE-2021-44228

Type: github • Created: 2021-12-11 11:38:16 UTC • Stars: 3

logpresso/CVE-2021-44228-Scanner

Type: github • Created: 2021-12-11 11:18:46 UTC • Stars: 857

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

byteboycn/CVE-2021-44228-Apache-Log4j-Rce

Type: github • Created: 2021-12-11 09:52:36 UTC • Stars: 2

M1ngGod/CVE-2021-44228-Log4j-lookup-Rce

Type: github • Created: 2021-12-11 07:55:45 UTC • Stars: 4

Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

Type: github • Created: 2021-12-10 22:35:00 UTC • Stars: 938

🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks

Azeemering/CVE-2021-44228-DFIR-Notes

Type: github • Created: 2021-12-10 22:19:16 UTC • Stars: 7

CVE-2021-44228 DFIR Notes

mubix/CVE-2021-44228-Log4Shell-Hashes

Type: github • Created: 2021-12-10 18:06:06 UTC • Stars: 154

Hashes for vulnerable LOG4J versions

greymd/CVE-2021-44228

Type: github • Created: 2021-12-10 17:24:47 UTC • Stars: 35

Vulnerability CVE-2021-44228 checker

KosmX/CVE-2021-44228-example

Type: github • Created: 2021-12-10 17:13:18 UTC • Stars: 6

vulnerability POC

zlepper/CVE-2021-44228-Test-Server

Type: github • Created: 2021-12-10 12:35:30 UTC • Stars: 4

A small server for verifing if a given java program is succeptibel to CVE-2021-44228

jas502n/Log4j2-CVE-2021-44228

Type: github • Created: 2021-12-10 05:23:44 UTC • Stars: 464

Remote Code Injection In Log4j

tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

Type: github • Created: 2021-12-09 15:27:38 UTC • Stars: 82

Apache Log4j 远程代码执行