skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

SECURITY RESOURCE CENTER

What is Log4Shell, and how does it exploit the log4j vulnerability

On Dec. 9, 2021, a zero-day exploit (since dubbed “Log4Shell”) was observed in the wild targeting a critical RCE vulnerability in Log4j (entered as CVE-2021-44228), the ubiquitous open source logging tool. Observers consider the Log4j vulnerability the worst one in years – if not the worst one ever. 

The Log4Shell vulnerability was exploited early on in the Minecraft game before Microsoft patched it this past weekend. Executing the exploit in Minecraft was very easy; threat actors only needed to paste a simple message into the chat box to compromise Minecraft’s servers. This simple hack works with any and all applications running a Java-based product or web service that utilizes the Log4j Java library. The Log4j vulnerability allows threat actors to execute unauthenticated remote code execution. This is initially triggered when the threat actor provides a crafted string through a variety of different input vectors. This is then parsed and processed by the vulnerable components.

Millions of Java applications use Log4j for logging of events, providing threat actors access to a virtually endless attack surface. Malicious attackers have the ability to leverage the vulnerability for many months, and potentially for years to come if not property addressed. 

We sympathize and empathize with the security teams around the world who are working 24/7 during this crisis, and hope the resources on this page will be helpful as we all contend with this massive vulnerability over the coming weeks and months.

Summary

CVE : CVE-2021-44228 and CVE-2021-45046
Affected : Apache Log4j 2 (V2.0-beta9 to 2.14.1)
Severity : CVSSv3 10.0 (Critical)
NIST NVD Publish Date : 10th December 2021
Source : Apache Software Foundation

The combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, and the software dependencies make patching this vulnerability very difficult. And the fact that the Log4Shell exploit itself fits into a tweet makes this vuln unusually dangerous.

casey-headshot

Casey Ellis

Founder and CTO

Back To Top