Zero-Day Exploit
Ongoing scans, exploitation of vulnerable systems
The bug, now tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam, is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.
It was reported by Alibaba Cloud's security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.
What can I do?
Patch and mitigation are available
Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021-44228 RCE vulnerability.
The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.
Those using the library are advised to upgrade to the latest release ASAP seeing that attackers are already searching for exploitable targets.