Updated: Wed Dec 15 14:45:00 SAST 2021 Further vulnerabilities have been discovered with certain non-default configurations, which are not mitigated by setting `log4j2.noFormatMsgLookup` to `true`. https://www.cve.org/CVERecord?id=CVE-2021-45046
Links
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
- https://github.com/lunasec-io/lunasec/releases/tag/v1.0.0-log4shell
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
You can learn how to exploit this vulnerability in a safe environment here:
https://tryhackme.com/room/solar
You will need to create a login and then you can follow material presented. This is essentially a training site and they have provided this environment for free to allow anyone to learn more detail about this vulnerability in a more practice way.
Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Vendor Links:
- Apache:
- Atlassian:
- Chef:
- Cloudera:
- Docker:
- Elastic:
- Grafana:
- HAProxy:
- HashiCorp
- RedHat:
- OpenShift 4 – OpenShift Logging [Elasticsearch]
- Suse:
- Sysdig:
- Ubuntu: