# Evaluate the Log4Shell: RCE 0-day  Issue

This repo contains the code to evaluate Log4j2 issue CVE-2021-44228 

## More details


## How to Test

Send GET request with query parameter as `${jndi:ldap://}`. 


When above request is sent application tries to connect to ldap url and following errror is printed since that 
is not running in my machine. 

2021-12-14 09:10:25,055 http-nio-10000-exec-1 WARN Error looking up JNDI resource [ldap://]. javax.naming.CommunicationException: [Root exception is Connection refused (Connection refused)]
	at java.naming/com.sun.jndi.ldap.Connection.<init>(
	at java.naming/com.sun.jndi.ldap.LdapClient.<init>(
	at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(
	at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(
	at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(
	at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(
	at java.naming/javax.naming.InitialContext.lookup(
	at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(
	at org.apache.logging.log4j.core.lookup.Interpolator.lookup(

## Temporary Fix

### Fix 1

If the `log4j-core` version is `>=2.10` by adding following JVM parameter this JNDI lookup can be disabled.


### Fix 2

We can update the `log4j2.xml` file with `{nolookups}` in log message pattern. Check branch `update-log4j2-config` for the fix.

## Permanent Fix

* Update the log4j version to `2.15.0`. Check the fix in branch `update-log4j-to-2.15.0`