General investigation log about log4j2 zero day CVE-2021-44228

CVE info at mitre.org: CVE-2021-44228

Github Trending repos used

Github Trending is full of repos related to this issue this week

• fullhunt/log4j-scan
• logpresso/CVE-2021-44228-Scanner
• NCSC-NL/log4shell
• mergebase/log4j-detector
• kozmer/log4j-shell-poc
• hillu/local-log4j-vuln-scanner
• leonjza/log4jpwn
• alexandre-lavoie/python-log4rce
• cloudera/cloudera-scripts-for-log4j
• corretto/hotpatch-for-apache-log4j2
• Neo23x0/log4shell-detector

List of scanners

List of scanners in NCSC-NL/log4shell

Vulnerable list of apps, services

List of vulnerable software in NCSC-NL/log4shell

Example how to scan your jar files

cd /usr/local/bin
wget https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.6.2/logpresso-log4j2-scan-1.6.2-linux.tar.gz
tar xzf logpresso-log4j2-scan-1.6.2-linux.tar.gz
log4j2-scan /opt/myapp
Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2 (2021-12-16)
Scanning directory: /opt/myapp

Scanned 55 directories and 555 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 1.08 seconds

Example how to scan your java application server

cd /usr/src
git clone https://github.com/fullhunt/log4j-scan.git
cd log4j-scan
pip3 install -r requirements.txt
python3 log4j-scan.py -u http://x.y.z.v:8080
[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: http://x.y.z.v:8080
[•] URL: http://x.y.z.v:8080 | PAYLOAD: ${jndi:ldap://x.y.z.v.987729xxxxx86sv343r.interact.sh/admm65j}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
[•] Targets does not seem to be vulnerable.