Apache Log4j Remote Code Execution and Denial-of-Service Vulnerability via Thread Context Map Patterns

A vulnerability in Apache Log4j 2.15.0 has been identified, where the fix for a previous remote code execution vulnerability (CVE-2021-44228) was incomplete in certain non-default configurations. This new vulnerability allows attackers to exploit Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern. Exploitation can lead to an information leak and remote code execution in some environments, while all environments are susceptible to local code execution. Log4j versions 2.16.0 (Java 8) and 2.12.2 (Java 7) address this vulnerability by removing support for message lookup patterns and disabling JNDI functionality by default.

Impact

Exploitation of this vulnerability can result in an information leak and remote code execution in some environments, with local code execution possible in all environments.

Reproduction

To reproduce this vulnerability, use Apache Log4j 2.15.0 in a logging configuration that includes a non-default Pattern Layout with a Context Lookup or a Thread Context Map pattern. Control the Thread Context Map input data to craft malicious input that exploits the vulnerability, using a JNDI Lookup pattern.

Remediation

Update Log4j to version 2.16.0 or later. For versions prior to 2.16.0, remove the JndiLookup class from the classpath.