A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0.0 and before and including 2.14.1 which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value with the attacker's JNDI LDAP server lookup. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0.0 and before and including 2.14.1 which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value with the attacker's JNDI LDAP server lookup. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
This issue only affects log4j versions between 2.0 and 2.14.1. log4j 1.x is NOT affected by this flaw. In order to exploit this flaw you need
Set log4j2.formatMsgNoLookups to true.
Vulmon