Log4Shell: Critical Log4j Vulnerability Triggers Internet-Wide Patching Race

A critical zero-day vulnerability in Apache Log4j — a Java logging library bundled into a staggering proportion of enterprise software — has triggered an unprecedented internet-wide patching scramble after public disclosure on Friday.

The flaw, dubbed "Log4Shell" and tracked as CVE-2021-44228, carries a CVSS score of 10.0 and allows unauthenticated remote attackers to execute arbitrary code on vulnerable servers by sending a specially crafted string that the application then logs. The attack vector is trivial: in some cases, simply changing a browser's user-agent header is enough.

The vulnerability was disclosed by Chen Zhaojun of Alibaba's cloud security team to the Apache Software Foundation, and a proof of concept began circulating on GitHub before the official patch landed.

"This is one of the most serious vulnerabilities I've seen in my entire career, if not the most serious," CISA Director Jen Easterly said during a Sunday press briefing. "Hundreds of millions of devices are likely affected."

Exploitation has already been observed in the wild, including by ransomware groups, cryptominers, and at least one nation-state actor. Cloudflare, Cisco, IBM, VMware, and Atlassian are among the major vendors confirming impacted products. Minecraft, the wildly popular game whose chat-based exploitation video helped initial PoCs spread, was among the first widely-known affected products.

The Apache Software Foundation released Log4j 2.15.0 with mitigations, but security researchers quickly discovered that the patch was incomplete; a follow-on release, 2.16.0, removed the JNDI lookup feature entirely. CISA has issued an Emergency Directive ordering all federal civilian agencies to inventory and patch affected systems within days.