Spring Boot Log4j - CVE-2021-44228
Description
The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really really bad place. Log4J will perform a JNDI lookup() while expanding placeholders in logging messages (or indirectly as parameters for formatted messages) - readmore PSA: Log4Shell and the current state of JNDI injection.
For information and setup, let’s navigate to my github repository Spring Boot Log4j - CVE-2021-44228
References
- Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
- PSA: Log4Shell and the current state of JNDI injection
- Log4Shell sample vulnerable application (CVE-2021-44228)
JNDIExploitUpdate (Dec 13th): The JNDIExploit repository has been removed from GitHub