Open in app

Sign in

Write

Sign in

How Log4j May Infected Your Application?

Omid Haghighatgoo
3 min readDec 26, 2021

Recently we read every where about vulnerability of log4j2 … but what is the story exactly? In this article we will study about this vulnerability and how to prevent our application from this threat.

Photo by B_A from pixabay

1- Terminology

  • log4j: It is a framework that is based on java and is used for logging.
  • JNDI: Java Naming and Directory Interface is a directory service that lets application to discover or find or lookup an object by its name through a network or directory such as DNS, LDAP etc. .
  • log4Shell: It is the name vulnerability based on log4j which is discovered by Chen Zhaojun on November of 2021
  • RCE: Remote Code Execution means that an attacker run malicious code on a target server or system remotely.It does not matter if it’s a local network or on internet.

2- How attacker may infect your application

The very first step is that if the application log what the user send to application as input or not. If you don’t log, so your application is safe and it will not be affected in this way.

The second step is that if log4j version is between 2.0 and 2.15 ( 2.0 < log4j version < 2.15). If you want to know why I should say that because in these versions the default value of no lookup feature is false.

A part of Log4j2 constant.java file

This feature is not available in log4j 1.x version. So you shouldn’t be worry if your application use old version of log4j.

NOTE: YOU SHOULD CARE THAT, YOU MAY HAVE NOT USED LOG4J BUT IT IS AVAILABLE IN YOUR APPLICATION, BECAUSE LOTS OF FRAMEWORKS LIKE SPRING, STRUTS, … ARE USING THIS LIBRARY.

Third step is that attacker send a malicious code (JNDI Lookup request) as an input and application log it.

The fourth step is that the attacker should provide the resource which he/she have sent it’s address to your application.

Log4Shell Flow

In next, server will query for that address and at the end download the malicious file from attacker server and execute it (Remote Code Execution).

3- How to prevent it

1- For log4j version 1.x nothing to do because these versions are not vulnerable.

2- For java 8 or newer JDK update your log4j to 2.17

3- Disabling lookup capability : log4j2.formatMsgNoLookups = true

4- Using log4j-api.jar without log4j-core.jar is not impacted.

5- Spring boot is not impacted because it is using log4j-to-slf4j and log4j-api.

6- log4j version 2.15.0 lookup property is restricted to localhost by default.

7- Checking below links could be helpful:

Apache Log4j 2

Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and…

logging.apache.org

Apache Log4j Security Vulnerabilities

This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is…

logging.apache.org

Log4j - Configuring Log4j 2

Inserting log requests into the application code requires a fair amount of planning and effort. Observation shows that…

logging.apache.org

Security
Java
Logging
Software Development
Test

--

--

Omid Haghighatgoo

Written by Omid Haghighatgoo

21 Followers

Senior Software Engineer with a demonstrated history of working in Information Technology and Services Industry, interested in AI and Machine Learning.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams