[ SB 21.21 ] Log4J - RCE (CVE-2021-44228)

A 0-day exploit in the popular Java logging library log4j was released) that results in Remote Code Execution (RCE) by logging a certain string.

Meanwhile, CVE-2021-44228 was assigned and updates had been released.

Currently it is not 100% sure if what we know by now (2021-12-10 11:00 AM UTC) about the attackvector, exploitation and impact is complete or not.

We try to keep up with latest events and developments with this post, but we share the estimation by Florian Roth, that this vuln is on ShellShock-Level.


tl;dr: as time goes by, more and more specific POCs for affected applications will emerge, current state is mostly spray-and-pray (2021-12-12)


besides mitigating the risk via upgrades (2.16 is the way to go), your egress-fw is a good point for mitigation

attacksurface and impact

tl;dr: its bad. its worse. we just know the tip of the iceberg yet.






tl;dr: yes.


exploitation-detection + DFIR

tl;dr: difficult, YMMV, it might be helpfull to check your fw-logs ingress/egress against IOC-lists, because you will find attempts in your logfiles anyway.




dns-IOCs for "those usual" scans

  • canarytoken.com , scanner
  • interactsh.com (nuclei, scanner)
  • ceye.io (dns, scanner)
  • dnslog.cn, scanner
  • bingsearchlib.com malicious c2-domain (deactivated)
  • burpsuitecollaborator.net (scanner)
  • dnspod.cn (dns, scanner)

if you see those, take action

scans and tests

local scans are highly recommended, if possible

vuln-testing-advice: scanning IPs is not sufficiant, think software that is reachable by hostnames (http://jira.example.com) or sits in/at the end of a comms-chain (email-sandbox, IDS/IPS/SIEM, logging-systems, accounting etc

measure your attacksurface



the following way works well for checking your own systems:

  • get a complete list of internet-facing IPs (and hostnames); attacksurface-monitoring comes in handy
  • if not sure about a complete list of hostnames, goto securitytrails and extract all hostnames and associated IPs for your domain and all associated hostnames for your IPs via their API (it will cost you 500 $, but better pay this than days of DFIR)
  • goto https://canarytokens.org and generate a dns-token (shootout to Florian Roth for this receipt
  • enable DNS-logs, you must be able to search for which host made nameresolutions. you will get a callback from a dns-server and see its ip, not the vulnerable hosts
  • use any external testscript/tool or this modified nuclei-scanfile and the canarytoken_dnshostname for payload
  • run your script against all IPs and hostnames, and monitor your emails
  • check the dns-logs for the canarytoken-hostname-resolution to find callbacks and affected systems, because the callback might get blocked or executed by another system
  • if you dont have hits, check twitter for updated external scanning-tools
  • beware of sideffects


best attackpattern so far:



Fragen? Kontakt: info@zero.bs