Details
Alert ID 40043-2
Alert Type Active
Status release
Risk High
CWE 117
WASC 20
Technologies Targeted Language / Java
Tags CVE-2021-45046
CWE-117
OUT_OF_BAND
OWASP_2017_A09
OWASP_2021_A06
WSTG-V42-INPV-11
More Info Scan Rule Help

Summary

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.

Solution

Upgrade Log4j2 to version 2.17.1 or newer.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java