zlatinb
commented
2 years ago MuWire uses the JUL (java.util.logging) logger via the @Log Groovy annotation. The embedded I2P router uses it's own logging system which is redirected to JUL on startup.
If you unzip the .zip distribution of MuWire you will see all the jars it depends on; log4j isn't one of them.
There is a new Zero-Day-Exploit in Java systems possible, called "Log4-Shell" on systems which use Apache Log4J.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
If I grep over the source I get some hits but I think muWire does not use it really (?)
There are some workarounds: use -Dlog4j2.formatMsgNoLookups=true or delete the specific class: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class or upgrade to newest Log4J 2.5,
Some Java 8 releases have deactivated some features by default in JNDI that this exploit uses.
Also read this: https://github.com/0x0021h/apache-log4j-rce/blob/main/poc/src/main/java/log4j.java
Collection of some Sites where the exploit worked: https://github.com/YfryTchsGD/Log4jAttackSurface