CVE-2021-44228 / Log4Shell VulnerabilityIndustry: N/A | Level: Tactical | Sources: LunaSec&GitHub-Log4Shell-List

A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts to many Apache Struts configurations and cloud services such as Steam, Apple iCloud, and others.The exploit requires three components a vulnerable log4j version, any protocol that enables the attack to send the exploit string, and a log statement that can log the string from the request.Mitigation is available through an update with affected users recommended to update to log4j version “log4j-2.15.0-rc2”. Threat researchers have identified a variety of threats Kinsing (cryptocurrency miner), Mirai Malware, Cobalt Strike, a new unidentified ransomware strain, and likely others, yet to be identified, taking advantage of the widespread vulnerability.