Log4j is a logging framework. With log4j, application messages can be logged in Java. It is used on many open source as well as commercial software products. The project was originally founded in 1996 by Ceki Gülcü while working at the IBM Development Lab in Zurich. Today, it is part of the logging project of the Apache Software Foundation and is licensed under Apache licence 2.0. Log4j can be used to forward messages to selected logging systems via so-called loggers. In addition, a filtering and type of output can be configured based on the importance ("log level").
Vulnerability findings in December 2021
On the 10th of December 2021, a zero-day vulnerability was identified in log4j version 2 (CVE-2021-44228, often referred to as Log4Shell). This vulnerability could be exploited by attackers to execute arbitrary codes.
«Apache Log4j Security Vulnerabilities» lists all affected versions and measures taken by the Apache project regarding this vulnerability. Measures taken so far to close the gap:
Critical vulnerability CVE-2021-4428
- publication of Log4j version 2.15.0
- for affectd versions from 2.0-bet9 through 2.12.1 and 2.13.0 through 2.14.1
- publication of Log4j version 2.12.2 and 2.16.0
- for affected versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
- The published version Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
GovCERT.ch has published a dedicated page on this topic, which describes the security vulnerability in detail and also illustrates the problem and the solution to the problem using a graph.