Log4j is a logging tool that is a part of the Apache Logging Services and one of several Java logging frameworks. It is based off of the Java programming language and is present in millions of applications and services. Log4Shell is the name of the vulnerability that was found with Log4j.
The vulnerability, known as CVE-2021-44228 or Log4Shell vulnerability allows an attacker to inject a special string into the logging server which gives it the ability to execute code and install software that can be used for remote access and other malicious activities like deploying ransomware. The vulnerability was first discovered on Minecraft servers, when attackers were posting special strings in chat that would allow them to exploit those systems. The discovery may have happened as early as December 2nd and was published on December 9th, 2021. Many are saying that this could be the worst vulnerability in the past decade due to its broad deployment across millions of applications. Apple, Amazon, Cloudflare, Twitter, Steam, Minecraft, SonicWall, VMware, cPanel and many other companies have released statements about their use and remediation of Log4j. As a preventative measure, Quebec had shut down roughly 4,000 of its websites to determine the impact of the Log4Shell vulnerability. It has also been reported that Log4Shell has the capability to exfiltrate AWS secrets.
Attackers are currently using Botnets to scan the internet looking for indications of Log4j so that it can be exploited.
As a remediation goes, organizations are urged to look for Log4j and patch it with release 2.15.0. This may be a challenge for many organizations, however as it may not be immediately clear how many applications use Log4j.
For more details visit the following pages:
Statement from CISA Director Easterly on “Log4j” Vulnerability | CISA
(1) Log4j 0day being exploited : blueteamsec (reddit.com)