Re: log4j trivial RCE (similar to ShellShock) - "Log4Shell" CVE-2021-44228


Thank you so much for the post Royce. Knowing how ubiquitous this logging package was, it really blew up big and is moving fast. I shared your notification with The Tech Tribe not long after your original post, it blew up the forums, even an out-of-band email alert was sent. About 8500 techs around the world owe you their thanks (and you made me look like a rockstar, lol). I was able to coordinate my systems, including patching unifi controllers, all before dinner.

Seriously though, many were caught totally flatfooted, some huge vendor names were affected, lots of really big MSPs shut down their PSA and RMM systems out of caution until the vendors could provide a fix or report their investigations. In many cases, we (the MSPs) were asking the vendors before they had released their findings. This was really fast action. It could have been like the Kaseya ransomware attack. You may have directly affected thousands of businesses. You are THE BEST! 

Please let me buy you lunch!
Book time with me here:
     ___ _______ 
    |   |       |
    |   |    _  |
    |   |   |_| |
 ___|   |    ___|
|       |   |    
JP (Jesse Perry)
voice/text: 907-748-2200
email: jp@...
support: helpdesk@...

On Fri, Dec 10, 2021 at 7:43 AM Royce Williams <royce.williams@...> wrote:
This one is developing quickly, so I'll push updates here as I discover them:

Royce Williams
Tech Solvency

On Fri, Dec 10, 2021 at 7:21 AM Royce Williams <royce@...> wrote:
Summary (Dan Goodin):
Log4j takes a log message, interprets it as a URL and goes out and fetches it. It will even execute JavaScript in URLs with full privileges of the main program. Exploits are triggered inside  log messages using the ${} syntax. Easy peasy.

Who is affected:
- Servers and clients that run Java and also log anything using the log4j framework
- log4j 2.x confirmed, and probably log4j 1.x also
- Don't forget appliances that use Java server components
- Downstream projects that include log4j, including Apache Struts, Solr, etc.

Required to fully mitigate:
- Upgrade Log4j 2.15.0
- requires Java 8

Exploitation: active:

Mitigations - easiest:
- (@MalwareTechBlog): If you can't upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).

Mitigations - official project itself (
>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a file on the classpath to prevent lookups in log event messages.
>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
>Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Mitigations - harder:
- WAF to limit exploit queries
- egress filtering to block unexpected outbound traffic

Exploit detection:

Good threads and summaries:

Royce Williams
Tech Solvency

Join to automatically receive all group messages.