Chen Zhaojun of the Alibaba Cloud Security Team[1]
Affected software
Applications logging user input using Log4j 2
Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.[2][3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online.[2][1][4][5][6] Apache gave Log4Shell a CVSS severity rating of 10, the highest available score.[7] The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.[6][8]
The vulnerability takes advantage of Log4j's allowing requests to arbitrary LDAP and JNDI servers,[2][9][10] allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information.[5] A list of its affected software projects has been published by the Apache Security Team.[11] Affected commercial services include Amazon Web Services,[12] Cloudflare, iCloud,[13]Minecraft: Java Edition,[14] Steam, Tencent QQ and many others.[9][15][16] According to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments.[17]
The vulnerability's disclosure received strong reactions from cybersecurity experts. Cybersecurity company Tenable said the exploit was "the single biggest, most critical vulnerability ever,"[18]Ars Technica called it "arguably the most severe vulnerability ever"[19] and The Washington Post said that descriptions by security professionals "border on the apocalyptic."[8]
^ abPovolny, Steve; McKee, Douglas (10 December 2021). "Log4Shell Vulnerability is the Coal in our Stocking for 2021". McAfee. Retrieved 12 December 2021.
^ abcWortley, Free; Thrompson, Chris; Allison, Forrest (9 December 2021). "Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package". LunaSec. Retrieved 12 December 2021.
^"CVE-2021-44228". Common Vulnerabilities and Exposures. Retrieved 12 December 2021.
^"Worst Apache Log4j RCE Zero day Dropped on Internet". Cyber Kendra. 9 December 2021. Retrieved 12 December 2021.
^ abNewman, Lily Hay (10 December 2021). "'The Internet Is on Fire'". Wired. ISSN 1059-1028. Retrieved 12 December 2021.
^ abMurphy, Hannah (14 December 2021). "Hackers launch more than 1.2m attacks through Log4J flaw". Financial Times. Retrieved 17 December 2021.
^ abHunter, Tatum; de Vynck, Gerrit (20 December 2021). "The 'most serious' security breach ever is unfolding right now. Here's what you need to know". The Washington Post.
^ abMott, Nathaniel (10 December 2021). "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". PC Magazine. Retrieved 12 December 2021.
^Goodin, Dan (10 December 2021). "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. Retrieved 12 December 2021.
^"Apache projects affected by log4j CVE-2021-44228". 14 December 2021.
^"Update for Apache Log4j2 Issue (CVE-2021-44228)". Amazon Web Services. 12 December 2021. Retrieved 13 December 2021.
^Lovejoy, Ben (14 December 2021). "Apple patches Log4Shell iCloud vulnerability, described as most critical in a decade". 9to5Mac.
^"Security Vulnerability in Minecraft: Java Edition". Minecraft. Mojang Studios. Retrieved 13 December 2021.
^Goodin, Dan (10 December 2021). "The Internet's biggest players are all affected by critical Log4Shell 0-day". ArsTechnica. Retrieved 13 December 2021.
^Rundle, David Uberti and James (15 December 2021). "What Is the Log4j Vulnerability?". Wall Street Journal – via www.wsj.com.
^"Enterprises halfway through patching Log4Shell | Wiz Blog". www.wiz.io. 20 December 2021. Retrieved 20 December 2021.
^Barrett, Brian. "The Next Wave of Log4J Attacks Will Be Brutal". Wired. ISSN 1059-1028. Retrieved 17 December 2021.
^Goodin, Dan (13 December 2021). "As Log4Shell wreaks havoc, payroll service reports ransomware attack". Ars Technica. Retrieved 17 December 2021.
Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability...
possibly occurred as a result of the Log4Shell zero-day, but UKG claimed it did not have evidence of Log4Shell being responsible for the ransomware incident...
published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". It has been characterized by Tenable as "the single biggest, most critical...
Exploit Log4Shell to Infect VMware Horizon Servers". PCMag. Archived from the original on 2022-05-20. Retrieved 2022-05-20. Osborne, Charlie. "Log4Shell exploited...
use in its data centers in October 2021. On November 24, 2021, the bug Log4Shell was disclosed to Apache by Chen Zhaojun of Alibaba Cloud’s Security Team...
Alibaba's Cloud Security Team reported a zero-day vulnerability (later dubbed Log4Shell) involving the use of arbitrary code execution in the ubiquitous Java...
of Apache Software Foundation projects Apache Attic Apache Incubator Log4Shell CNCF Linux Foundation "Apache Software Foundation, Full Filing – Nonprofit...
ACE vulnerabilities. On December 9, 2021, a RCE vulnerability called "Log4Shell" was discovered in popular logging framework Log4j, affecting many services...
DarkSide causing substantial shortages in the southeastern USA. Log4Shell 24 November 2021 Log4Shell affected hundreds of millions of devices through Java's open...
In December 2021, ExpressVPN modified its product to protect against Log4Shell, updating its VPN to automatically block all outgoing traffic on ports...
report of the board was published 11 July 2022 and described Log4j and Log4shell. Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (2021-05-10). "Biden...
CVE-2022-22965. It was given the name Spring4Shell in reference to the recent Log4Shell vulnerability, both having similar proofs-of-concept in which attackers...
come from cosmic sources, such as black holes and neutron stars. The Log4Shell security vulnerability in a Java logging framework is publicly disclosed...
Version Release date Changes 6.0.0 January 27, 2022 Fixes for Log4Shell vulnerability and breaking changes to bundled Apache XML-RPC libraries to resolve...
encrypted exploit attempts of CVEs such as PrintNightmare, ProxyLogon, Log4Shell, and Spring4Shell. –Detection of cloud attack techniques (eg, AWS IMDS...