Log4Shell

Log4Shell
CVE identifier(s)CVE-2021-44228
Date discovered24 November 2021; 3 years ago (2021-11-24)
Date patched6 December 2021; 2 years ago (2021-12-06)
DiscovererChen Zhaojun of the Alibaba Cloud Security Team[1]
Affected softwareApplications logging user input using Log4j 2

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution.[2][3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021.[4] Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online.[2][1][5][6][7] Apache gave Log4Shell a CVSS severity rating of 10, the highest available score.[8] The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.[7][9]

The vulnerability takes advantage of Log4j's allowing requests to arbitrary LDAP and JNDI servers,[2][10][11] allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information.[6] A list of its affected software projects has been published by the Apache Security Team.[12] Affected commercial services include Amazon Web Services,[13] Cloudflare, iCloud,[14] Minecraft: Java Edition,[15] Steam, Tencent QQ and many others.[10][16][17] According to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments.[18]

The vulnerability's disclosure received strong reactions from cybersecurity experts. Cybersecurity company Tenable said the exploit was "the single biggest, most critical vulnerability ever,"[19] Ars Technica called it "arguably the most severe vulnerability ever"[20] and The Washington Post said that descriptions by security professionals "border on the apocalyptic."[9]

  1. ^ a b Povolny, Steve; McKee, Douglas (10 December 2021). "Log4Shell Vulnerability is the Coal in our Stocking for 2021". McAfee. Retrieved 12 December 2021.
  2. ^ a b c Wortley, Free; Thrompson, Chris; Allison, Forrest (9 December 2021). "Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package". LunaSec. Archived from the original on 16 June 2024. Retrieved 16 June 2024.
  3. ^ "CVE-2021-44228". Common Vulnerabilities and Exposures. Retrieved 12 December 2021.
  4. ^ "Inside the Race to Fix a Potentially Disastrous Software Flaw". Bloomberg.com. 13 December 2021. Retrieved 19 November 2024.
  5. ^ "Worst Apache Log4j RCE Zero day Dropped on Internet". Cyber Kendra. 9 December 2021. Retrieved 12 December 2021.
  6. ^ a b Newman, Lily Hay (10 December 2021). "'The Internet Is on Fire'". Wired. ISSN 1059-1028. Retrieved 12 December 2021.
  7. ^ a b Murphy, Hannah (14 December 2021). "Hackers launch more than 1.2m attacks through Log4J flaw". Financial Times. Retrieved 17 December 2021.
  8. ^ "Apache Log4j Security Vulnerabilities". Log4j. Apache Software Foundation. Retrieved 12 December 2021.
  9. ^ a b Hunter, Tatum; de Vynck, Gerrit (20 December 2021). "The 'most serious' security breach ever is unfolding right now. Here's what you need to know". The Washington Post.
  10. ^ a b Mott, Nathaniel (10 December 2021). "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". PC Magazine. Retrieved 12 December 2021.
  11. ^ Goodin, Dan (10 December 2021). "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. Retrieved 12 December 2021.
  12. ^ "Apache projects affected by log4j CVE-2021-44228". 14 December 2021.
  13. ^ "Update for Apache Log4j2 Issue (CVE-2021-44228)". Amazon Web Services. 12 December 2021. Retrieved 13 December 2021.
  14. ^ Lovejoy, Ben (14 December 2021). "Apple patches Log4Shell iCloud vulnerability, described as most critical in a decade". 9to5Mac.
  15. ^ "Security Vulnerability in Minecraft: Java Edition". Minecraft. Mojang Studios. Retrieved 13 December 2021.
  16. ^ Goodin, Dan (10 December 2021). "The Internet's biggest players are all affected by critical Log4Shell 0-day". ArsTechnica. Retrieved 13 December 2021.
  17. ^ Rundle, David Uberti and James (15 December 2021). "What Is the Log4j Vulnerability?". Wall Street Journal – via www.wsj.com.
  18. ^ "Enterprises halfway through patching Log4Shell | Wiz Blog". www.wiz.io. 20 December 2021. Retrieved 20 December 2021.
  19. ^ Barrett, Brian. "The Next Wave of Log4J Attacks Will Be Brutal". Wired. ISSN 1059-1028. Retrieved 17 December 2021.
  20. ^ Goodin, Dan (13 December 2021). "As Log4Shell wreaks havoc, payroll service reports ransomware attack". Ars Technica. Retrieved 17 December 2021.