Log4Shell: Apache Log4j 2 CVE-2021-44228

If you haven’t been living under a rock for the past few hours, you’ll know that last Friday a critical vulnerability in the Log4j 2 package, a massively used Java log library, started to go viral.

This vulnerability, dubbed Log4Shell and discovered by Chen Zhaojun (software engineer at Alibaba), has been assigned the CVE CVE-2021-4428, with a CVSS of 10.0.

Although by now there is tons of public information about it, let’s give a few hints about it.

The actors

Log4j 2: the Lookup plugin

As we have already mentioned, Log4j 2 is a log library for Java applications used by developers to log application information. Using it is as simple as including something like log.debug(“Test message”); in the code, which will generate a log entry. Often, the information that is logged is related to the application itself and its execution context.

One of the capabilities of the library, called Lookups, is the ability to use variables when writing to the log, which will be replaced by the corresponding value, with a specific syntax: ${variable}. For example, if we use ${java:runtime}, when the application logs, it will record the Java runtime version.

[Read more…]