CVE-2021-44228

CRITICAL
2021-12-10 [email protected]
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Patch Released
Feb 20, 2026 - 16:15 nvd
Patch available
PoC Detected
Feb 20, 2026 - 16:15 vuln.today
Public exploit code
Added to CISA KEV
Feb 20, 2026 - 16:15 cisa
CISA KEV
CVE Published
Dec 10, 2021 - 10:15 nvd
CRITICAL 10.0

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Analysis

Apache Log4j2 contains a critical JNDI injection vulnerability known as 'Log4Shell' that allows unauthenticated remote code execution through crafted log messages, affecting virtually every Java application on Earth and triggering the largest vulnerability remediation effort in history.

Technical Context

The CWE-20 vulnerability in Log4j2's lookup feature automatically processes JNDI references in log messages. When an application logs user-controlled data containing ${jndi:ldap://...}, Log4j resolves the JNDI reference, connecting to an attacker's LDAP server which returns a malicious Java class for execution. The attack surface includes HTTP headers, form fields, usernames, and any other data that reaches a log statement.

Affected Products

['Apache Log4j2 2.0-beta9 through 2.15.0', 'Virtually every Java application using Log4j2 for logging', 'Cloud services, enterprise software, embedded devices, IoT, and more']

Remediation

Update Log4j2 to 2.17.1+. If immediate patching is impossible: set log4j2.formatMsgNoLookups=true, remove JndiLookup class from classpath, or upgrade to Java 8u191+ (partial mitigation). Scan all Java applications for Log4j2 usage. This requires organization-wide inventory of all Java deployments.

Priority Score

224
Low Medium High Critical
KEV: +50
EPSS: +94.4
CVSS: +50
POC: +20

Share

CVE-2021-44228 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy