Apache Log4j2 JNDI Remote Code Execution (per folder)
Description
Apache Log4j2 versions 2.0 through 2.14.1 contain a critical remote code execution vulnerability in their JNDI (Java Naming and Directory Interface) lookup feature. This widely-used Java logging library allows attackers to exploit its message lookup substitution functionality by injecting malicious JNDI references into log messages. When the library processes these specially crafted strings, it can be tricked into retrieving and executing arbitrary code from attacker-controlled LDAP or other JNDI servers. This vulnerability, known as Log4Shell (CVE-2021-44228), affects countless applications and services that use Log4j2 for logging.
Remediation
Take immediate action to remediate this critical vulnerability using one of the following approaches, listed in order of preference:
1. Upgrade Log4j2 (Recommended): Update to Log4j2 version 2.16.0 or later, which completely removes support for message lookup patterns and disables JNDI by default. Version 2.15.0 should be avoided as it contains an incomplete fix.
2. Apply Mitigation for Versions 2.10 through 2.14.1: If immediate upgrading is not possible, set the system property log4j2.formatMsgNoLookups to true. This can be done by adding the following JVM argument:
-Dlog4j2.formatMsgNoLookups=true
3. Remove the Vulnerable Class: For versions 2.0 through 2.14.1, remove the JndiLookup class from the log4j-core JAR file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
4. Java Version Mitigation: Ensure you are running Java 8u121 or later, which limits JNDI exploitation by setting
com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false by default. Note that this does not fully prevent exploitation and should be combined with other mitigations.After applying fixes, verify the remediation and scan your environment for any remaining vulnerable Log4j2 instances.