Apache Log4j Remote Code Execution (CVE-2021-44228)
Overview
Apache Log4j Remote Code Execution, commonly known as Log4Shell and tracked as CVE-2021-44228, is one of the most widely known Java security vulnerabilities. It affects vulnerable versions of Apache Log4j2, especially the log4j-core component used across web applications, enterprise platforms, cloud services, and internal Java services.
Vulnerability Overview
The vulnerability is caused by unsafe JNDI lookup behavior in Log4j. When a vulnerable application logs attacker-controlled input, Log4j may interpret lookup expressions instead of treating the value as plain text. Because applications often log HTTP headers, usernames, form fields, error messages, and API parameters, the vulnerable code path can be reached through many different parts of an application.
In affected environments, this behavior can allow an unauthenticated remote attacker to trigger code execution on the server. The issue became especially severe because Log4j was widely embedded as a transitive dependency, meaning many organizations were exposed even when they did not directly manage Log4j in their own application code.
Apache disabled message lookup behavior by default in Log4j 2.15.0 and removed the vulnerable functionality in later fixed releases, including the maintained security release lines.
Impact
CVE-2021-44228 has a CVSS 3.1 score of 10.0 and is rated Critical. The scoring reflects network reachability, low attack complexity, no required privileges, no user interaction, changed scope, and high confidentiality, integrity, and availability impact.
Successful exploitation can lead to remote code execution, server compromise, credential theft, malware deployment, lateral movement, and unauthorized access to internal systems. Internet-facing Java applications are especially high risk when they log untrusted input and run vulnerable Log4j versions.
The vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on December 10, 2021, which reflects confirmed exploitation in the wild. It also creates a detection challenge: exploitation attempts may appear in web server logs, application logs, proxy logs, WAF events, and other telemetry sources, often using obfuscation or unusual lookup patterns to bypass simple filtering.
Vulnerability Scope
CVE-2021-44228 affects vulnerable releases of Apache Log4j 2 before the fixed versions published by the Apache project. The highest-risk exposure typically appears in Java applications that use vulnerable Log4j versions and process attacker-controlled input through logging.
Apache Log4j 2 releases from 2.0-beta9 through 2.15.0 are affected, excluding the security releases 2.12.2, 2.12.3, and 2.3.1.
The issue is specific to log4j-core; it does not apply to other Apache Logging Services projects such as log4net or log4cxx.
When reviewing exposure, teams usually need to check direct dependencies, transitive dependencies, packaged applications, container images, vendor products, and internally deployed Java services. Patching Log4j alone may not be enough if old application bundles, shaded JARs, or third-party products still include vulnerable versions.
Lab Focus
This lab focuses on understanding how Log4Shell appears in a controlled application environment, why logging untrusted input can become dangerous, and how remote code execution risk emerges from unsafe lookup behavior. The goal is to practice recognizing the vulnerability context, interpreting the impact, and understanding the remediation scope without exposing real production systems.