We are starting this thread and making it available to the public, as a community service, due to the severity of this active exploit. Please post all updates and new information to this thread.
Pinning this important resource to the top of this thread for maximum visibility:
Sharing this important list of vulnerable and safe software. Will pin this to the top of this thread as well. It's also embedded in the resource list further up/down (depending where you are reading this in the list) in this thread.
Operational information regarding the log4shell vulnerabilities in the Log4j logging library. - log4shell/software at main · NCSC-NL/log4shell
A Zero-day Exploit for Log4j Java Library Could Have a Tsunami Impact on IT Giants
“Experts publicly disclose Proof-of-concept exploits for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library. The Chinese security researcher p0rz9 who publicly disclosed the PoC exploit code revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false” (Security Affairs, 2021).
The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.
The vulnerability was assigned CVE-2021-44228, it allows an unauthenticated attacker to execute arbitrary code on a vulnerable system leading to complete system takeover.
Most alarming, the vulnerability does not require any special configurations which is why it received a CVSS score of 10/10. Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability. Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.
“IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue. Researchers from Bad Packets are already observing mass scanning activity for this vulnerability. Lunasec, who tracked this vulnerability as LogJam, confirmed the wide impact of this issue” (Security Affairs, 2021).
Apache addressed the issue with the release of a Log4j release candidate version (2.15.0-rc1), but security researchers already discovered a bypass and are urging impacted organizations to update to the latest RC build log4j-2.15.0-rc2.
Greynoise is sharing IPs it identified as exploiting this vuln - you can find details here:
Last edited by a moderator: