Details
Alert Id 40043-2
Alert Type Active
Status alpha
Risk High
CWE 117
WASC 20
Tags OUT_OF_BAND
OWASP_2017_A09
OWASP_2021_A06
WSTG-V42-INPV-11

Summary

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.

Solution

Upgrade Log4j2 to version 2.17.1 or newer.

References

Code

org/zaproxy/zap/extension/ascanrulesAlpha/Log4ShellScanRule.java