The Apache Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. The security guide of Apache suggests that Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. Controlled log messages or log messages by the attacker can be executed for arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
The vulnerability allows for Remote Code Execution and access to servers.
“This is a worst-case scenario. The combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet. The immediate action is to stop what you’re doing as a software shop and enumerate where log4j exists and might exist in your environment and products. It’s the kind of software that can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.” – Bugcrowd Founder and CTO Casey Ellis
Log4j vulnerability’s attack surface is growing by the minute. The logging package had flaws that enabled it to execute arbitrarily formatted strings of code. Interestingly, the vulnerability was discovered through Minecraft servers. This vulnerability poses a cosmic threat to the entirety of the internet because logging user data is one of the first most basic steps required in modern digital infrastructure. Therefore, an exploit could trample your systems, in the blink of an eye.