A newly discovered vulnerability in a incredibly popular Java logging library, log4j, was made public today. The ease of exploitation appears to be relatively low while the severity is critical, with successful exploitation resulting in remote code execution. The issue has been assigned the CVE number CVE-2021-44228 and is being called Log4Shell.

What is affected?
Apache Struts2, Apache Solr, Apache Druid, and Apache Flink have all been confirmed to be vulnerable by the Alibaba Cloud security team this issue was first reported to. All other implementations of Apache log4j between versions 2.0 and 2.14.1 are also likely vulnerable. The total number affected applications and servers is well into the millions. For successful exploitation to take place, the application must use log4j to write user-controlled strings to a file.

Remediation
Update the log4j library in your applications to version log4j-2.15.0-rc1 or later. You may also prevent writing user controlled input by setting the flag ‐Dlog4j2.formatMsgNoLookups=True at application startup. However, this may break functionality in some apps.