top of page
  • Writer's pictureRachel Hanlon

Critical Zero-day vulnerability in Apache Log4j Java library


Security researchers has discovered a new zero-day vulnerability dubbed Log4Shell in Apache Log4j Java-based logging library tracked as CVE-2021-44228 which has scored a perfect 10/10 in the CVSS rating (Critical). The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the vulnerable system and affects all versions from 2.0-beta9 to 2.14.1, this vulnerability can be exploited through a single string of text. Successful exploitation of this vulnerability could lead to a complete system takeover.

Some experts are calling this one of the most critical vulnerabilities they have seen in years!


  • It is recommended to update Log4j to its latest version 2.15.0

  • Block all IOC’s on firewall

  • Check all internet facing applications that are vulnerable to the exploit in the environment

Reference URLS:

Recommendations for IOCs:


For releases >=2.10:

  • Vulnerability can be mitigated by setting either the system property "log4j2.formatMsgNoLookups"


  • the environment variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" to “true”

For releases from 2.0-beta9 to 2.10.0:

  • The mitigation is to remove the "JndiLookup" class from the classpath:”zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.

Reference URLs for IOCs:

5 views0 comments

Recent Posts

See All


bottom of page