CVE-2021-44228 · threatengine.sh

Home/CVE/Apache Log4j2 Remote Code Execution Vulnerability

CVE

CVE-2021-44228

Apache Log4j2 Remote Code Execution Vulnerability

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CRITICAL · CVSS 10 ⚠ CISA KEV EPSS 0.94358 Ransomware: known

Act now

Listed on CISA KEV (known exploited in the wild)
Linked to known ransomware campaigns
SSVC exploitation status: active
EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 0% of all CVEs by exploitation likelihood
Public exploit or PoC is available
SSVC automatable: yes - attacks can be scripted at scale
CVSS base score ≥ 7.0

Sigma rules10 YARA rules7

⬢

Required Remediation

For all affected software assets for which updates exist, the only acceptable remediation actions are.

Apply updates.
remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

◆

Threat Actors Linked

23

actorALPHV / BlackCat
actorAndariel
actorAPT10
actorAPT31
actorAPT33
actorOilRig
Show all 23 actorsactorAPT35
actorAPT38
actorAPT39
actorAPT40
actorAPT41
actorAquatic Panda
actorBlack Basta
actorChimera (G0114)
actorContagious Interview
actorCuba
actorDarkSide / BlackMatter
actorEarth Lusca
actorAPT27
actorFlax Typhoon
actorGALLIUM
actorHive
actorIndrik Spider

⬡

Weakness Classification

CWE-20Improper Input Validation
CWE-400Uncontrolled Resource Consumption
CWE-502Deserialization of Untrusted Data
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

▤

Affected Products & Versions

42

siemens 6bk1602-0aa12-0tp0 firmware< 2.7.0
siemens 6bk1602-0aa22-0tp0 firmware< 2.7.0
siemens 6bk1602-0aa32-0tp0 firmware< 2.7.0
siemens 6bk1602-0aa42-0tp0 firmware< 2.7.0
siemens 6bk1602-0aa52-0tp0 firmware< 2.7.0
apache log4j>= 2.0.1 and < 2.3.1
apache log4j>= 2.4.0 and < 2.12.2
apache log4j>= 2.13.0 and < 2.15.0
Show all 42 affected productsapache log4jall versions
siemens sppa-t3000 ses3000 firmwareall versions
siemens capital< 2019.1
siemens capitalall versions
siemens comos< 10.4.2
siemens desigo cc advanced reportsall versions
siemens desigo cc info centerall versions
siemens e-car operation center< 2021-12-13
siemens energy engageall versions
siemens energyipall versions
siemens energyip prepay< 3.8.0.12
siemens gma-manager< 8.6.2j-398
siemens head-end system universal device integration systemall versions
siemens industrial edge managementall versions
siemens industrial edge management hub< 2021-12-13
siemens logo\! soft comfortall versions
siemens mendixall versions
siemens mindsphere< 2021-12-16
siemens navigator< 2021-12-13
siemens nxall versions
siemens opcenter intelligence>= 3.2 and < 3.5
siemens operation scheduler<= 1.1.3
siemens sentron powermanagerall versions
siemens siguard dsa>= 4.2 and < 4.4.1
siemens sipass integratedall versions
siemens siveillance command<= 4.16.2.1
siemens siveillance control proall versions
siemens siveillance identityall versions
siemens siveillance vantageall versions
siemens siveillance viewpointall versions
siemens solid edge cam proall versions
siemens solid edge harness design< 2020
siemens solid edge harness designall versions
siemens spectrum power 4< 4.70

▤

Affected Packages

5

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven com.guicedee.services:log4j-core CRITICAL

Maven org.apache.logging.log4j:log4j-core CRITICAL fixed in 2.15.0

Maven org.ops4j.pax.logging:pax-logging-log4j2 CRITICAL fixed in 1.9.2

Maven org.xbib.elasticsearch:log4j CRITICAL

Maven uk.co.nichesolutions.logging.log4j:log4j-core CRITICAL

⚠

Public Exploits & PoCs

42

remoteAD Manager Plus 7122 - Remote Code Execution (RCE)2023-04-01
remoteApache Log4j 2 - Remote Code Execution (RCE)2021-12-14
remoteApache Log4j2 2.14.1 - Information Disclosure2021-12-14
nucleiCisco vManage (Log4j) - Remote Code Executioncritical
nucleiCisco BroadWorks - Remote Code Execution (Apache Log4j)critical
nucleiCisco WebEx - Remote Code Execution (Apache Log4j)critical
nucleiCisco CloudCenter Suite (Log4j) - Remote Code Executioncritical
nucleiCisco Unified Communications - Remote Code Execution (Apache Log4j)critical
nucleiGraylog (Log4j) - Remote Code Executioncritical
nucleiPapercut - Remote Code Execution (Apache Log4j)critical
nucleiVMware Site Recovery Manager - Remote Code Execution (Apache Log4j)critical
nucleiSplunk Enterprise - Remote Code Execution (Apache Log4j)critical
nucleiFortiPortal - Remote Code Execution (Apache Log4j)critical
nucleiElasticsearch 5 - Remote Code Execution (Apache Log4j)critical
nucleiMetabase - Remote Code Execution (Apache Log4j)critical
nucleiF-Secure Policy Manager - Remote Code Execution (Apache Log4j)critical
nucleiJitsi Meet - Remote Code Execution (Apache Log4j)critical
nucleiUniFi Network Application - Remote Code Execution (Apache Log4j)critical
nucleiManage Engine Desktop Central - Remote Code Execution (Apache Log4j)critical
nucleiOpenShift - Remote Code Execution (Apache Log4j)critical
nucleiOpenNMS - JNDI Remote Code Execution (Apache Log4j)critical
nucleiFlexnet - Remote Code Execution (Apache Log4j)critical
nucleiCitrix XenMobile Server - Remote Code Execution (Apache Log4j)critical
pocpacketstormsecurity.com · Apache-Log4j2-2.14.1-Remote-Code-Execution.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · VMware-Security-Advisory-2021-0028.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Apache-Log4j2-2.14.1-Information-Disclosure.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Apache-Log4j2-2.14.1-Remote-Code-Execution.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Log4j2-Log4Shell-Regexes.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Log4j-Payload-Generator.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · L4sh-Log4j-Remote-Code-Execution.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Log4j-Remote-Code-Execution-Word-Bypassing.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · log4j-scan-Extensive-Scanner.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · VMware-Security-Advisory-2021-0028.4.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Log4Shell-HTTP-Header-Injection.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Inje...packetstormsecurity.com
pocpacketstormsecurity.com · UniFi-Network-Application-Unauthenticated-Log4Shell-Remot...packetstormsecurity.com
pocpacketstormsecurity.com · Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Comman...packetstormsecurity.com
pocpacketstormsecurity.com · MobileIron-Log4Shell-Remote-Command-Execution.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · AD-Manager-Plus-7122-Remote-Code-Execution.htmlpacketstormsecurity.com
pocgithub.com · CVE-2021-44228github.com
poctwitter.com · 1469345530182455296twitter.com
pocwww.nu11secur1ty.com · cve-2021-44228.htmlwww.nu11secur1ty.com

◈

Detection Rules (IDS/IPS)

40

et-openET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)attempted-admin

et-openET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)attempted-admin

et-openET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)attempted-admin

et-openET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)attempted-admin

et-openET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)attempted-admin

et-openET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)attempted-admin

Show all 40 detection ruleset-openET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)attempted-admin
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228)misc-activity
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228)misc-activity
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)misc-activity
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228)misc-activity
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)misc-activity
et-openET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228)misc-activity
et-openET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228)attempted-admin
et-openET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228)attempted-admin
et-openET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Responseattempted-admin
et-openET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee)domain-c2

Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

◈

Sigma Hunt Rules

10

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

relatedcriticalBitbucket Unauthorized Full Data Export Triggered

relatedcriticalBitbucket Unauthorized Access To A Resource

relatedcriticalAntivirus Exploitation Framework Detection

relatedcriticalAntivirus Password Dumper Detection

relatedcriticalAntivirus Ransomware Detection

relatedcriticalLinux Reverse Shell Indicator

Show all 10 top matches

relatedcriticalWebshell Remote Command Execution

relatedcriticalPossible Coin Miner CPU Priority Param

relatedcriticalCobalt Strike DNS Beaconing

relatedcriticalBad Opsec Powershell Code Artifacts

See all related Sigma rules for this CVE

▣

Scoring & Timeline

10

CRITICAL · CVSS v3.1 · security@apache.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD10 Dec 2021 · 10:15 AM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

yes

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

30

rhsaRHSA-2025:1747Critical
rhsaRHSA-2025:1746Critical
rhsaRHSA-2024:10207Important
rhsaRHSA-2024:5856Important
suse-csafopenSUSE-SU-2024:11666-1
Show all 30 vendor advisoriessuse-csafopenSUSE-SU-2024:11681-1
suse-csafopenSUSE-SU-2024:11682-1
suse-csafopenSUSE-SU-2024:11683-1
suse-csafopenSUSE-SU-2024:11696-1
rhsaRHSA-2022:5458Important
rhsaRHSA-2022:5460Important
rhsaRHSA-2022:5459Important
rhsaRHSA-2022:1462Low
rhsaRHSA-2022:1469Low
rhsaRHSA-2022:1463Low
rhsaRHSA-2022:1297Low
rhsaRHSA-2022:1299Low
rhsaRHSA-2022:1296Low
rhsaRHSA-2022:0661Moderate
suse-csafopenSUSE-SU-2022:0038-1
rhsaRHSA-2022:0485Moderate
rhsaRHSA-2022:0493Moderate
rhsaRHSA-2022:0553Important
rhsaRHSA-2022:0524Low
rhsaRHSA-2022:0527Low
rhsaRHSA-2022:0507Important
suse-csafSUSE-SU-2022:0354-1
suse-csafSUSE-SU-2022:0355-1
rhsaRHSA-2022:0497Important
rhsaRHSA-2022:0475Low

🔗

References & Sources

33

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://seclists.org/fulldisclosure/2022/Dec/2ExploitMailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2022/Jul/11Mailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2022/Mar/23Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/10/1Mailing ListMitigationThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/10/2Mailing ListMitigationThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/10/3Mailing ListThird Party Advisory

Show all 33 references

http://www.openwall.com/lists/oss-security/2021/12/13/1Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/13/2Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory

https://github.com/cisagov/log4j-affected-dbThird Party Advisory

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.mdBroken LinkProductUS Government Resource

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.htmlMailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/Release Notes

https://logging.apache.org/log4j/2.x/security.htmlRelease NotesVendor Advisory

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/PatchThird Party AdvisoryVendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory

https://security.netapp.com/advisory/ntap-20211210-0007/Third Party Advisory

https://support.apple.com/kb/HT213189Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001Third Party Advisory

https://www.debian.org/security/2021/dsa-5020Mailing ListThird Party Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.htmlThird Party Advisory

https://www.kb.cert.org/vuls/id/930724Third Party AdvisoryUS Government Resource

https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228Third Party AdvisoryUS Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin