Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learningUpgrade org.apache.logging.log4j:log4j-core
to version 2.3.2, 2.12.4, 2.17.1 or higher.
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4Shell vulnerability, this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.
An attacker with access to modification of logging configuration is able to configure JDBCAppender
with a data source referencing a JNDI URI - which can execute malicious code.
In the fixed versions, JDBCAppender
is using JndiManager
and disables JNDI lookups by default (via log4j2.enableJndiJdbc=false
).
If you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:
JDBCAppender
JDBCAppender
is used, make sure that it is not configured to use any protocol other than Java