## https://sploitus.com/exploit?id=SAINT:C093B43E357FA7E023374178D975EB2A
Added: 12/16/2021
### Background
[Apache Log4j](<https://logging.apache.org/log4j/2.x/>) is a logging library used by many Java applications.
### Problem
An attacker who is able to control log message content could embed a JNDI reference to an LDAP or RMI URL which downloads an executable Java class, leading to arbitrary command execution.
### Resolution
[Upgrade](<https://logging.apache.org/log4j/2.x/download.html>) to Apache Log4j 2.12.2 or 2.16 or higher, or apply a fix from the vendor of the software which embeds Log4j.
### References
<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>
<https://logging.apache.org/log4j/2.x/security.html>
<https://isc.sans.edu/diary/28120>
### Limitations
Exploit works on web applications which use Log4j to log the User-Agent header.
### Platforms
Windows
Linux