Friday Nov 10th morning the news of Log4Shell vulnerability (CVE-2021-44228) started to appear, a few hours later several sites were already having their IPs shown in Github, examples were TSLA, twitter, Apple, Amazon, Twitter.
This vulnerability is very much related to one topic I usually post about it here, which is JNDI lookup, and LDAP in the context of EJB for returning Java Objects – aka serialization. And CVE 44228 is basically this, a JNDI lookup().
Updating your JDK for the latest will not save your from this one, but depending on the JDK it will much easier to get it. Explanation:
|<8u121||Starting with Java 8u121 remote codebase were no longer permitted by default for RMI (but not LDAP).|
|<=8u191||There is a direct path from a controlled JNDI lookup to remote classloading of arbitrary code|
|8u191>||RMI, References and object construction can still happen. Example: Apache Xbean BeanFactory|
Solutions were already much much already described, basically updating the log4j or removing the JNDI lookup class. Since from log4j 2.15.0, this behavior has been disabled by default.