Last week, one of the most critical 0-day vulnerabilities in several years was made public. This issue was found in the commonly used Java logging utility, Apache Log4j, version 2, which could allow remote code execution on a vulnerable system. The vulnerability is in Log4j’s use of the Java Naming and Directory Interface™ (JNDI) Lightweight Directory Access Protocol (LDAP) server lookup functionality. If exploited, a sophisticated, unauthenticated remote attacker can execute arbitrary commands that could lead to a system compromise. Log4j versions between 2.0 and 2.14.1 are impacted by this issue.
In order for the issue to be exploitable, the impacted service must meet the following criteria:
- A remotely accessible endpoint with any protocol (e.g., HTTP, TCP) that allows an attacker to send arbitrary data
- A log statement in the endpoint that logs the untrusted data controlled by an attacker