Even if you tried VERY hard to enjoy a quiet weekend, chances are that this plan was interrupted at least once by the new Log4Shell zero-day vulnerability that was disclosed on Friday (December 10, 2021). The new vulnerability was found in the open source Java library log4j-core which is a component of one of the most popular Java logging frameworks, Log4J.

Styra Declarative Authorization Service (DAS), both SaaS and self-hosted, as well as Open Policy Agent (OPA), are not affected by the Log4j security vulnerability. The newest Apache Log4j Java-based logging utility vulnerability (CVE-2021-44228) was disclosed to Apache by Alibaba's Cloud Security Team on November, 24 2021 by Chen Zhaojun and published on December, 9 2021.

On Thursday, December 9, security researchers published a proof-of-concept exploit code for CVE-2021-44228, a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications. Also known as Log4Shell, the situation is significant and continues to evolve, and the Cybersecurity and Infrastructure Security Agency is recommending immediate action.

A critical vulnerability, CVE-2021-44228 known as “log4shell,” in Apache’s log4j was revealed on December 10th, 2021, and has already seen wide exploitation around the Internet. Previously, we discussed the vulnerability and how to find it in your images using Sysdig Scanning reports. In a perfect world, patching would be quick, easy, and completed without any issues.

By now, you already know of — and are probably in the midst of remediating — the vulnerability that has come to be known as Log4Shell and identified as CVE-2021-44228. This is the vulnerability which security researchers disclosed on Friday (10 December 2021) for Apache’s Log4j logging framework. In this article, we’ll explore a few key Log4j facts as well as actions you can take to protect yourself and your company.

CVE-2021-44228 (Log4Shell or LogJam) is a recently discovered zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library. It was reported by the Alibaba Cloud Security team as an unauthenticated RCE vulnerability in Log4j 2.0-beta9 up to 2.14.1 and could allow a complete system takeover on vulnerable systems. The bug has received the maximum CVSS score of 10, reflecting its importance and ease of exploitation.

Last Thursday, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers.

On Thursday, December 9, a zero-day vulnerability CVE-2021-44228 (a.k.a. Log4Shell, LogJam, and Log4j) was made public. This vulnerability impacts Apache Log4j versions 2.0-beta9 to 2.14.1, and it has the highest possible CVSS score of 10.0. As of today, it is widely regarded as one of the most dangerous and widespread vulnerabilities to date.