Solar, exploiting log4j

On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed Log4Shell

Today, log4j versions are available which have this vulnerability patched (JNDI is fully disabled, support for Message Lookups is removed, and the DoS vulnerability CVE-2021-45046 is not present).

The danger of this vulnerability (and reason for including it here) is due to how ubiquitous the logging package is. Millions of applications as well as software providers use this package as a dependency in their own code. While you may be able to patch your own codebase using log4j, other vendors and manufacturers will still need to push their own security updates downstream. Many security researchers have likened this vulnerability to that of Shellshock by the nature of its enormous attack surface. We will see this vulnerability for years to come.

Further reading