Successful exploitation could lead to RCE. If the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Lightweight Directory Access Protocol (LDAP).The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including: An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. This vulnerability is considered so severe that Cloudflare CEO plans to offer protections for all customers.ĬVE-2021-44228 is a remote code execution (RCE) vulnerability in Apache Log4j 2. There's a minecraft client & server exploit open right now which abuses a vulerability in log4j versions 2.0 - 2.14.1, there are proofs of concept going around already.Īdditionally, it appears that cloud services such as Steam and Apple iCloud are also affected.
On December 9, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2, a Java logging library used by a number of applications and services including but not limited to:ĭubbed Log4Shell by researchers, the origin of this vulnerability began with reports that several versions of Minecraft, the popular sandbox video game, were affected by this vulnerability. For up-to-date information, please refer to our blog post: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities Background
Update December 21: A frequently asked questions (FAQ) blog post was published on December 17 with information on Log4Shell and other associated vulnerabilities.