Log4Shell: Critical RCE in Ubiquitous Java Logging Library Triggers Global Scramble
What happened
CVE-2021-44228 in Apache Log4j allowed unauthenticated remote code execution via a JNDI lookup triggered simply by logging a crafted string. Log4j was embedded in hundreds of millions of Java applications, and exploitation began within hours of public disclosure, affecting Apple, Amazon, Cloudflare, and countless others.[1]
What went wrong
Log4j's JNDI lookup feature allowed untrusted input to trigger outbound network requests and load arbitrary remote code. The feature had no practical legitimate use in most deployments but was enabled by default. The library's ubiquity meant the blast radius was extraordinary.[1]
Lesson learned
Logging user-controlled data is unavoidable, but logging libraries must never execute outbound network calls triggered by log content. Dependency inventories (SBOMs) are essential — you cannot patch what you do not know you are running.
Sources
- [1]
External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.