Log4Shell: Critical Log4j RCE Vulnerabilty – Update to Version 2.15.0December 13, 2021
On Dec.10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell.
This vulnerability within the popular Java logging framework was published as CVE-2021-44228 and categorized as
Critical with a CVSS score of 10, which is the highest score possible. The vulnerability was discovered by Chen Zhaojun from Alibaba’s Cloud Security team.
All current versions of log4j2 up to and including 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.
Many application frameworks in the Java ecosystem use this logging framework by default. For instance, Apache Struts 2, Apache Solr, and Apache Druid are all affected. Aside from those, Apache log4j is also used in many Spring and Spring Boot applications, so we suggest you check your applications and update them to the latest version.
Brian Vermeer, Foojay Java Security Community Manager
(Read the complete article on Snyk.io.)