Critical vulnerability in Log4j library – Log4Shell (CVE-2021-44228)

A recent zero-day exploit in the popular Java logging library Apache Log4j2 exposes millions of systems to trivial remote code execution attacks. The vulnerability also known as Log4Shell (CVE-2021-44228) has been first publicly disclosed on December 9th, 2021. Starting with December 10th we found dozens of enumeration and attack attempts on deployed Pet-HMR honeypots, that included a lot of variations and evasion techniques from current fixes and security tools.

The vulnerability affects all Log4j2 versions until 2.14.1 and has been classified as extremely critical by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The most important factors are that the library is extremely widespread, and that the vulnerability is very easy to exploit since it only requires to trigger a log message containing certain strings. Injecting such strings into log messages is easy because logs typically contain information provided by a client (e.g HTTP request headers), that if not parsed correctly can become a big security threat.

More details on X41 blogpost