Re: log4j trivial RCE (similar to ShellShock) - "Log4Shell" CVE-2021-44228

Royce Williams

This one is developing quickly, so I'll push updates here as I discover them:

Royce Williams
Tech Solvency

On Fri, Dec 10, 2021 at 7:21 AM Royce Williams <royce@...> wrote:
Summary (Dan Goodin):
Log4j takes a log message, interprets it as a URL and goes out and fetches it. It will even execute JavaScript in URLs with full privileges of the main program. Exploits are triggered inside  log messages using the ${} syntax. Easy peasy.

Who is affected:
- Servers and clients that run Java and also log anything using the log4j framework
- log4j 2.x confirmed, and probably log4j 1.x also
- Don't forget appliances that use Java server components
- Downstream projects that include log4j, including Apache Struts, Solr, etc.

Required to fully mitigate:
- Upgrade Log4j 2.15.0
- requires Java 8

Exploitation: active:

Mitigations - easiest:
- (@MalwareTechBlog): If you can't upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).

Mitigations - official project itself (
>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a file on the classpath to prevent lookups in log event messages.
>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
>Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Mitigations - harder:
- WAF to limit exploit queries
- egress filtering to block unexpected outbound traffic

Exploit detection:

Good threads and summaries:

Royce Williams
Tech Solvency

Join { to automatically receive all group messages.