Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü which is part of the Apache Logging Services.
A zero-day vulnerability involving remote code execution in Log4j, given the descriptor CVE-2021-44228, was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021.
Affected services include Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and Twitter. The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. The vulnerability was characterized by cybersecurity firm Tenable as “the single biggest, most critical vulnerability of the last decade” and Lunasec’s Free Wortley characterized it as “a design failure of catastrophic proportions”.
The director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit “critical” and advised vendors to prioritize software updates, and the German agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an “extremely critical threat situation”.