CVE-2021-44228 (Log4Shell)
Vendor and product: Apache Log4j
This vulnerability, known infamously as Log4Shell, affects Apache’s Log4j library, an open-source logging framework popular in the Java programming language. Discovered in December 2021, this bug allows a threat actor to exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. This allows a malicious actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
What made this bug so critical was the widespread use of Log4j, which CISA says is incorporated into thousands of products globally. Threat actors seized on the vulnerability, and it is likely still being actively exploited. Cybersecurity firm Qualys said last month that 30% of Log4j instances remain vulnerable for exploitation.
Return To Article