Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution.[2][3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021.[4] Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online.[2][1][5][6][7] Apache gave Log4Shell a CVSS severity rating of 10, the highest available score.[8] The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.[7][9]
The vulnerability's disclosure received strong reactions from cybersecurity experts. Cybersecurity company Tenable said the exploit was "the single biggest, most critical vulnerability ever,"[19]Ars Technica called it "arguably the most severe vulnerability ever"[20] and The Washington Post said that descriptions by security professionals "border on the apocalyptic."[9]