I know it is being a while since I posted the last time. So far it has been an incredibly busy year and I didn’t find a lot of time/motivation to write new articles but I think this time deserves it! A new RCE 0-day exploit was released yesterday related to the log4j2 Java logging package which it widely used. The exploit basically allows full server control pretty easily from a remote server. Considering the amount of companies/services impacted you can see how bad this is…
The vulnerability name is CVE-2021-44228 or also known log4shell at it has a CVE score of 10.0 which is the highest possible.
The exploit allows full server control and it is incredibly easy to exploit, you can run your own test with a docker container if you don’t believe me:
docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
Afterwards execute the following command on a new window:
curl 127.0.0.1:8080 -H 'User-Agent: ${jndi:ldap://127.0.0.1/a}'
And you should see the following in the logs:
2021-12-10 17:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
This basically means the attacker sends data to the server, the server logs the data in the request that contains the malicious payload. Afterwards the log4j vulnerability is trigged by the payload and the server makes the request to the server that was passed during the first step. The response contains a path to a remote Java class file which is injected into the server process and it allows to execute arbitrary code on the server. The guys form Lunasec did an amazing job putting together some information about this: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package.
So far SAP released a few notes for this vulnerability and it seems that most of their products are not affected:
3129956 – CVE-2021-44228 – BusinessObjects impact for Log4j vulnerability
3129883 – CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability
3129960 – How Apache Log4j vulnerability affect SAP Content Server
3130698 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications
The list of notes regarding this vulnerability is getting bigger each moment and there are some applications affected like SAP Mobile Platform, SAP Commerce Cloud, etc. while some others SAP and non-SAP software is not like Sybase IQ, Oracle products, DB2 databases, etc. I recommend checking the list of notes related to CVE-2021-44228 for the latest news.
I hope you all survived the log4j Apocalypse and Christmas, hopefully you had a great…
UPDATE 11/25/2020 Adobe released a new patch that solves the issue a few days ago:…
Good news for you fanatics of SAP GUI! SAP will release SAP GUI 7.70 in…
Quick update since I don't have a lot of time lately. During my 2019 job…
It's been a while since the last time I wrote an entry in my blog.…
Bad news for those of you running old SAP Solution Manager versions. SAP updated recently…