Log4j: Getting ready for the long haul (CVE-2021-44228)

Published: 2021-12-14
Last Updated: 2021-12-14 13:07:59 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Friday (Dec. 10th), we moved our Infocon to "Yellow" for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates "change," not "steady-state." By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody "in the field."

We are now moving our "Infocon" back to "green."

Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term. 

Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don't think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.

As of this writing, log4j 2.16 is the officially fixed version. log4j 2.15 was the initial fix, with 2.16 fixing some issues with pattern formatters that could still expose you to JNDI lookups.

Here are a few resources about log4j/log4shell:

RCE in Log4j / Log4Shell or how things can get bad quickly

Log4Shell Exploited to Implant Coin Miners

Log4Shell Live Stream

Log4Shell Followup: What we see and how to defend, and how to access our data

Log4j Zero-Day

List of Vendor Bulletins

List of Vulnerable Software

Official log4j Website

log4j 2.16 Update which fixes some remaining JNDI related issues


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

1 comment(s)


Thanks for everyone's collective work on this at ISC. Changing the infocon status is how I was alerted. I would have come across it eventually but much later in the day probably. This worked as intended and I don't miss the days where this changed pretty frequently.

Diary Archives