Vulnerabilities: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105.
Likelihood of exploitation: High
Exploit Proof of Concept: Publicly available
Exploitation in wild: Yes
Critical remote code execution (RCE) vulnerabilities have been identified that affect multiple versions of the Apache Log4j 2 software. An adversary that wants to exploit these vulnerabilities can send a request to a vulnerable service using a specially crafted payload that will cause the server to run the adversary’s code with the application system privileges. Guidance on how to remediate the vulnerabilities has evolved rapidly as the issue has become better understood. System and application administrators should stay current with the most recent information on the vulnerabilities, which may require remediation by patching or reconfiguring services, or mitigation, by restricting access to vulnerable services or other means. The best sources of current information on the vulnerabilities and how to respond are: