What is the Log4J2 security vulnerability?

Your thoughts?


A Java based security exploit that affects millions of applications.

Log4J is a very popular logging framework used with popular technologies like Spring Boot, Kafka, Redis, etc. One of it's key features includes property substitution where log output is dynamically generated based on lookup values.

For example if you want to get the runtime environment in your log output you may do something like:

What is my runtime ${java:runtime}

The problem with this is Log4J allows different protocols/methods for "looking things up". One of these methods is JNDI lookup.

What they found was these JNDI lookups can be used to bypass authentication and other security measures to run remote execution of malicious code hosted on LDAP servers.


The reason why no software engineers were around to hang out the weekend of Dec 10 :)


The worst :)


A remote code execution vulnerability found with a popular logging framework used in Java.


RCE attack made possible by Apache Logging project.