Advanced

Log4j Vulnerability: What You Should Know

Log4Shell demonstrated how a single flaw in a nearly ubiquitous, trusted open-source logging library could put a massive share of the internet's applications, cloud services, and even IoT...

Table of Contents

Module 1: Understanding the Log4Shell Vulnerability

What Is Log4j?

Log4j is a logging framework for Java applications. Developers and security teams log application activity for good reasons: developers use logs for troubleshooting problems, and security analysts use logs to detect anomalies in traffic and behavior. Rather than writing custom logging code from scratch, a development team can pull in Log4j as an open-source, free library and wrap it into their code with minimal effort — it handles the logging plumbing automatically.

The irony is that a bug inside this widely trusted, “responsible coding” library is exactly what introduced one of the most severe vulnerabilities the industry has seen. The flaw discovered in Log4j is now known as Log4Shell. It allows an attacker to send a specially crafted message to a vulnerable application and, as a result of that message simply being logged, have the application execute attacker-controlled code.

How the Log4Shell Exploit Works

The exploit does not require sophisticated tooling. At a high level, the attack works like this:

  1. The attacker prepares a malicious payload/file and hosts it on a server they control.
  2. The attacker sends modified text (the payload string) to any field that the target application logs — for example, a username field, a User-Agent header, or any other user-controllable input.
  3. When the vulnerable application logs that string, Log4j parses it and performs a lookup that reaches out to the attacker’s remote server.
  4. Log4j retrieves the malicious code referenced by that lookup and executes it inside the vulnerable application.

Once code execution is achieved, an attacker can pivot from that single vulnerable application to move laterally elsewhere in the organization’s network — turning a single logging call into a full remote code execution (RCE) and potential network compromise.

sequenceDiagram
    participant Attacker
    participant VulnerableApp as Vulnerable Application (Log4j)
    participant AttackerServer as Attacker-Controlled Server

    Attacker->>VulnerableApp: Submit crafted string to a logged field (e.g., username, header)
    VulnerableApp->>VulnerableApp: Log4j logs and parses the string
    VulnerableApp->>AttackerServer: Outbound lookup triggered by the crafted string
    AttackerServer-->>VulnerableApp: Returns malicious code reference
    VulnerableApp->>VulnerableApp: Malicious code is executed (RCE)
    VulnerableApp->>Attacker: Attacker gains foothold / pivots laterally

Why Log4Shell Became a Global Crisis

Several factors combined to make this a “perfect storm” and led some to call Log4Shell the worst software vulnerability seen to date:

  • Ubiquity — Log4j is embedded in millions of enterprise applications, cloud services, manufacturing systems, and IoT devices. Its reach is so broad that it was even reported running on Mars: the Mars 2020 mission’s Ingenuity helicopter drone logs data using Log4j.
  • Difficulty of discovery — because Log4j is bundled inside countless third-party libraries and applications, it is extremely hard to produce a complete inventory of every place it exists across an environment.
  • Ease of exploitation — the attack requires nothing more than crafting a malicious file, hosting it, and getting a single string logged by the target application. No advanced exploit development is required.
mindmap
  root((Why Log4Shell Is So Severe))
    Ubiquity
      Millions of enterprise apps
      Cloud services
      Manufacturing systems
      IoT devices
      Even used on Mars (Ingenuity drone)
    Hard to Discover
      Bundled inside third-party libraries
      Open-source dependency chains
      Java runs everywhere, not tied to one platform/industry
    Trivial to Exploit
      Attacker only needs a hosted malicious file
      Any logged, user-controlled field can be the trigger
      No advanced tooling required

Which Applications Are Actually Vulnerable

Not every piece of software that uses Log4j is automatically exploitable. The key condition is whether the application logs a field that an attacker can influence. Consider a Java application that lets users log in with an account: the application will very likely log the usernames people attempt to use — that’s useful for troubleshooting and for security monitoring. But that same logged username field is also a perfect place for an attacker to submit a malicious string instead of a real username, turning a normal logging decision into an entry point for exploitation.

Assessing Your Organization’s Exposure

The first step for any organization is to determine where Log4j is actually being used across its systems. This is harder than it sounds, for several reasons:

  • Third-party vendor software, open-source components, and any application on the network could contain an extension that pulls in a Java library.
  • Confirming that a given Java library specifically uses Log4j (rather than just being “a Java app”) takes additional investigation.
  • Java’s core strength — that it works virtually everywhere — also means the exposure isn’t confined to a specific operating system, domain, or industry.

Once a security or development team has done the work of discovering and confirming Log4j usage, the next priority is to patch wherever possible. In some cases, organizations will be dependent on a third-party manufacturer to release and ship that patch themselves, rather than being able to patch in-house.

Practical ways to find affected instances include:

  • Software inventory / asset management tools, ideally already configured to track all software and dependencies in use across the organization (the ideal, though rarely a complete reality).
  • Vulnerability scanning tools as a starting point for identifying exposed systems.
  • Endpoint management tools such as Tanium or osquery, which are valuable both for identification and for remediation at scale.
  • Scripting skills, which are extremely helpful for searching filesystems and application directories for the vulnerable library across a large fleet of systems.
flowchart TD
    A[Start: Assume Log4j could be anywhere] --> B[Inventory known software and dependencies]
    B --> C{Complete asset inventory exists?}
    C -->|Yes| D[Cross-reference inventory for Log4j usage]
    C -->|No| E[Run vulnerability scans across the network]
    E --> F[Use endpoint tools: Tanium, osquery]
    F --> G[Use scripting to search filesystems for Log4j artifacts]
    D --> H[Confirm exact Log4j versions in use]
    G --> H
    H --> I{Patch available?}
    I -->|Yes, in-house control| J[Patch immediately]
    I -->|No, vendor-controlled| K[Escalate to vendor / manufacturer for patch]
    J --> L[Monitor network for anomalous activity]
    K --> L

Observed Attack Activity and Early Impact

At the time this vulnerability was being discussed, security teams were already observing widespread scanning activity across the internet from actors looking for vulnerable instances. There were also documented attempts to install cryptomining software on unpatched Microsoft Exchange servers. However, no confirmed, large-scale successful cyberattack campaigns had been publicly attributed to Log4Shell at that point in time — the visible activity was largely reconnaissance and opportunistic exploitation attempts.

Why Patching Alone Is Not Enough

Apache released an official update to address the vulnerability, but simply patching Log4j across the network is not sufficient on its own for two reasons:

  1. Because Log4j is used as an open-source logging plugin embedded inside thousands (if not millions) of applications, it takes considerable time for organizations to even identify every application in their environment that depends on it.
  2. Patching does not undo any compromise that may have already occurred. Organizations should operate under an assumption of compromise for any environment that includes Java-based applications, rather than assuming that patching alone restores a clean state.

Given that assumption, monitoring network traffic for anomalous activity becomes especially critical — it’s the primary way to detect whether an attacker already gained a foothold before the patch was applied.

The Evolving Vulnerability Landscape

Log4Shell was not a single, one-time disclosure — the situation continued to evolve as more information was released. A second, related “sister” vulnerability was disclosed shortly after the original Log4Shell finding, and this follow-on vulnerability was associated with the potential for denial-of-service (DoS/DDoS) attacks rather than remote code execution.

The table below summarizes the well-known public CVEs associated with this vulnerability cluster, for reference:

CVENature of the IssueApproximate Severity
CVE-2021-44228 (Log4Shell)Remote code execution via JNDI lookup injectionCritical (CVSS 10.0)
CVE-2021-45046Incomplete fix for CVE-2021-44228 in certain non-default configurations; denial-of-service and, in some configurations, RCEHigh to Critical
CVE-2021-45105Uncontrolled recursion leading to denial-of-serviceHigh
CVE-2021-44832Remote code execution requiring attacker control of the logging configurationModerate
timeline
    title Log4j Vulnerability Disclosure Timeline (Well-Known Public CVEs)
    2021-12-09 : CVE-2021-44228 (Log4Shell) disclosed - critical RCE
    2021-12-14 : CVE-2021-45046 disclosed - DoS / RCE in non-default configs
    2021-12-18 : CVE-2021-45105 disclosed - uncontrolled recursion DoS
    2021-12-28 : CVE-2021-44832 disclosed - RCE requiring config control

Overlooked Attack Surface: Home and IoT Devices

While large enterprises and major software vendors moved quickly to patch their critical systems, a less-discussed dimension of this vulnerability is the long tail of smaller, less-visible devices. Home routers and the many IoT smart home devices that consumers have added to their home networks are also potential carriers of vulnerable Java components. These devices are typically patched far more slowly than enterprise software, if they are patched at all, and represent a secondary but real implication of the vulnerability’s reach that is easy to overlook while focused on the most critical, high-visibility systems first.

Looking Ahead: Long-Term Implications

Because of how widespread and deeply embedded Log4j is, the security community expected to be discussing and responding to this vulnerability for a long time after initial disclosure. New exploits building on the underlying flaw were anticipated to keep emerging. Organizations that want to stay ahead of continued exploitation attempts need to invest heavily in incident response capability and security analytics, rather than treating this as a one-time patch-and-move-on event.

flowchart LR
    A[Initial Disclosure] --> B[Rapid Patch Development]
    B --> C[Follow-on CVEs Discovered]
    C --> D[New Exploit Variants Emerge Over Time]
    D --> E[Ongoing Scanning and Opportunistic Attacks]
    E --> F[Long-Tail Devices Remain Unpatched: Routers, IoT]
    F --> G[Sustained Investment in IR and Security Analytics Required]

Summary

Log4Shell demonstrated how a single flaw in a nearly ubiquitous, trusted open-source logging library could put a massive share of the internet’s applications, cloud services, and even IoT and embedded devices at risk simultaneously. The vulnerability was severe not because it required sophisticated tradecraft, but because it combined trivial exploitability with extreme difficulty in fully mapping where the vulnerable component actually existed across any given environment.

Key takeaways:

  • Log4j is a widely embedded Java logging library; the Log4Shell flaw lets an attacker trigger remote code execution simply by getting a malicious string logged by a vulnerable application.
  • Not every Log4j-using application is exploitable — exposure depends on whether the application logs attacker-controllable input.
  • Discovering every instance of Log4j across an environment is often harder than patching it, due to the depth of dependency chains and third-party/vendor software.
  • Patching is necessary but not sufficient — organizations should assume potential compromise and monitor network traffic for anomalies rather than treating a patch as full remediation.
  • The vulnerability landscape continued to evolve with additional related CVEs (including a denial-of-service variant), and new exploit techniques were expected to keep surfacing.
  • Overlooked, low-visibility devices such as home routers and IoT smart home products represent an easily forgotten but real part of the total attack surface.

Mitigation Checklist

ActionWhy It Matters
Inventory all software and dependencies across the organizationYou cannot patch what you have not identified
Run vulnerability scans and use endpoint tools (e.g., Tanium, osquery)Practical way to locate vulnerable instances at scale
Use scripting to search filesystems for the Log4j library and its versionFills gaps where asset inventories are incomplete
Patch to the fixed Log4j version wherever you control the applicationRemoves the underlying vulnerable code path
Escalate to vendors/manufacturers for third-party software you don’t controlSome instances can only be remediated upstream
Assume compromise in Java-based environments, even after patchingPatching does not reverse prior exploitation
Increase monitoring of network traffic for anomalous activityPrimary method for detecting a foothold gained before patching
Track follow-on CVEs and new exploit techniques over timeThe vulnerability landscape kept evolving after initial disclosure
Extend remediation efforts to home routers and IoT/smart home devicesFrequently overlooked, slow-to-patch part of the attack surface
Invest in incident response capability and security analyticsNeeded for sustained, long-term resilience against ongoing exploitation

Search Terms

log4j · vulnerability · know · briefings · networking · systems · security · log4shell · attack

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.