VU#930724: Apache Log4j allows insecure JNDI lookups

Overview Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j. CISA has published Apache Log4j Vulnerability Guidance and provides a Software List. Description The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can execute arbitrary code provided by remote services such as LDAP, RMI, and DNS. More information is available from the Apache Log4j Security Vulnerabilities...