Sunday, December 12, 2021

LOG4SHELL - CVE-2021-44228: Apache Zero-Day

LOG4SHell / Log4j2 -

              Zero-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. 

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and Spring-Boot web applications. 

The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10, the highest possible severity rating.

Who is Impacted:

Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been found to be vulnerable.

 Anybody using Apache frameworks services or any SpringBoot Java-based framework applications uses log4j2 is likely to be vulnerable.

Affected Apache log4j2 Versions


Ask admin/system team to run a search/grep command on all servers to spot any file with name "log4j2", Then check if it is a vulnerable version or not"


Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and updated on you system "

Ref Link:


Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications"