Apache Log4j2 Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Apache Log4j2 versions 2.0-beta9 through 2.15.0, excluding security releases 2.12.2, 2.12.3, and 2.3.1. The vulnerability arises because JNDI features used in configuration, log messages, and parameters do not adequately protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can manipulate log messages or their parameters can execute arbitrary code loaded from LDAP servers, provided that message lookup substitution is enabled. This issue is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, an attacker must send a crafted log message that exploits the JNDI lookup feature. This can be done by manipulating log message parameters to include a JNDI lookup pattern that points to an LDAP server controlled by the attacker. Once the message is logged, the vulnerable Log4j2 component will process the JNDI lookup, leading to the execution of arbitrary code from the attacker's LDAP server.

Remediation

Users are advised to update Apache Log4j to version 2.16.0 or later. If an immediate update is not possible, version 2.10 to 2.14.1 can be patched by removing the JndiLookup class from the JAR file or by setting the log4j2.formatMsgNoLookups parameter to true. For applications running on Kubernetes, this environment variable can be set to apply the mitigation across all pods and containers.