⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.. Due date: 2021-12-24.

CVE-2021-44228

CWE-20Improper Input ValidationCWE-400Uncontrolled Resource ConsumptionCWE-502Deserialization of Untrusted DataCWE-917CWE-674Uncontrolled Recursion280 documents38 sources
Severity
10.0CRITICAL
EPSS
94.4%
top 0.04%
CISA KEV
KEVRansomware
Added 2021-12-10
Due 2021-12-24
Exploit
Exploited in wild
Active exploitation observed
Affected products
110
Apache Software Foundation Apache Log4j2Apache Log4jApple Xcode+107 more
Timeline
PublishedDec 10
KEV addedDec 10
KEV dueDec 24
Latest updateDec 19
CISA Required Action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along wit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages117 packages

Mavenorg.apache.logging.log4j:log4j-core2.13.02.15.0+2
CVEListV5apache_software_foundation/apache_log4j22.0-beta9log4j-core*
Debianapache-log4j2< 2.15.0-1~deb11u1+3
Ubuntuapache-log4j2< 2.16.0-0.20.04.1
NVDapache/log4j2.0.12.3.1+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35

Patches

Patch: msrc-blog.microsoft.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

13
GHSA
Security Advisory for "Log4Shell"2022-01-21
OSV
Security Advisory for "Log4Shell"2022-01-21
GHSA
Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library2022-01-06
OSV
Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library2022-01-06
GHSA
Critical vulnerability in log4j may affect generated PEAR projects2021-12-16

💥Exploits & PoCs

49
Exploit-DB
AD Manager Plus 7122 - Remote Code Execution (RCE)2023-04-01
Exploit-DB
Apache Log4j2 2.14.1 - Information Disclosure2021-12-14
Exploit-DB
Apache Log4j 2 - Remote Code Execution (RCE)2021-12-14
Nuclei
OpenNMS - JNDI Remote Code Execution (Apache Log4j)
Nuclei
Jitsi Meet - Remote Code Execution (Apache Log4j)

🔍Detection Rules

106
Suricata
ET EXPLOIT Apache log4j RCE Attempt (http) (Outbound) (CVE-2021-44228)2023-04-21
Suricata
ET EXPLOIT Apache log4j RCE Attempt (http) (Inbound) (CVE-2021-44228)2023-04-21
Suricata
ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Outbound)2022-06-21
Suricata
ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound)2022-06-21
Suricata
ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af)2021-12-21

📋Vendor Advisories

21
Apple
CVE-2022-22607: Xcode 13.32022-03-14
Apple
CVE-2022-22605: Xcode 13.32022-03-14
Apple
CVE-2021-44228: Xcode 13.32022-03-14
Apple
CVE-2022-22602: Xcode 13.32022-03-14
Apple
CVE-2022-22601: Xcode 13.32022-03-14

🕵️Threat Intelligence

64
Wiz
CVE Scanning: What It Is, How It Works and Why It Matters | Wiz2025-12-19
Wiz
CVE Scanning: What It Is, How It Works and Why It Matters | Wiz2025-12-19
Bleepingcomputer
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug2023-12-11
Bleepingcomputer
Over 30% of Log4J apps use a vulnerable version of the library2023-12-10
Qualys
What’s Next After Log4Shell?2023-02-22

📐Framework References

1
OWASP
VWAD: Log4Shell sample vulnerable application

📄Research Papers

1
CTF
Crafty / README

💬Community

10
HackerOne
[forum.acronis.com] JNDI Code Injection due an outdated log4j component2024-08-28
HackerOne
[CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com2024-08-28
HackerOne
Remote code injection in Log4j on https://mymtn.mtncongo.net - CVE-2021-442282024-08-24
HackerOne
Remote code injection in Log4j on http://mtn1app.mtncameroon.net - CVE-2021-442282024-08-24
HackerOne
LOGJ4 VUlnerability [HtUS]2022-11-18