Apache Log4j 2 CVE-2021-44228

The vulnerable versions of Log4j 2 are versions 2.0 to version 2.14.1 inclusive. The first fixed version is 2.15.0. We strongly encourage you to update to the latest version if you can. If you are using a version before 2.0, you are also not vulnerable.

https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

The Story of an RCE on a Java Web Application

It was about two months ago (November 2021) I was invited to a private program. According to their program scope, I decided to hack them for a while. This post is about a vulnerability I’ve found in this company that led to RCE.

https://infosecwriteups.com/the-story-of-a-rce-on-a-java-web-application-2e400cddcd1e

Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package

On Thursday, December 9th, a 0-day exploit in the popular Java logging library log4j (version 2)
was discovered that results in Remote Code Execution (RCE), by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control),
and how easy it is to exploit, the impact of this vulnerability is quite severe.
We're calling it "Log4Shell" for short.
The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.

https://www.lunasec.io/docs/blog/log4j-zero-day/