Apache Log4j Remote Code Execution Vulnerability.

Web Servers Systems Networks
Advisory ID:
December 20, 2021


On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code. The Apache Log4j 2 utility is a widely deployed Java-based logging utility used for logging requests. Open-source reporting indicates that active scanning and exploitation of this vulnerability have been observed.

Description & Consequence

Log4j is a widely used open-source logging library for Java applications. Log4j provides additional logging capabilities, like log levels (fatal, error, warn, etc), mechanisms to write to different log files, log rolling patterns, and more. The critical remote code execution (RCE) vulnerability discovered in Log4j is affecting versions between 2.0-beta9 to 2.14.1. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation. In addition, Log4j is often used in enterprise Java software and is also included in several Apache frameworks including but not limited to: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other Java frameworks also include it in their libraries, including but not limited to: Netty, MyBatis and the Spring Framework.

An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.


Organisations running products with Apache Log4j are recommended to take the following actions:

  1. Visit Apache’s Log4j Security Vulnerabilities page (https://logging.apache.org/log4j/2.x/security.html) for patches information and, apply as applicable.
  1. If you’re using Java 8 or later, upgrade to Log4j 2.16.0, which has the JNDI lookup functionality disabled by default
  2. If you’re using Java 7 and unable or unwilling to upgrade to Java 8, upgrade to Log4j 2.12.2.
  3. If upgrading the Log4j library is not within your control, but you have access to the servers running the application, Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. This assumes you’re confident your application does not leverage JNDI Lookups.
  4. Report any incident of system compromise to ngCERT on incident@cert.gov.ng for technical assistance.


  1. https://cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability 
  2. https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
  3. https://runpanther.io/blog/panthers-guide-to-log4j-exploitation-prevention-and-detection/ 


Related Articles