Accident Details


log4j Java library vulnerability
Domain: Internet
Year: 2021
Data Categories: Dynamic
Properties Lost: Integrity

Summary:

Critical zero-day vulnerability affecting Apache Log4j2 java library

Details:

On Dec 10th 2021 a new critical zero-day vulnerability was detected that affected Apache Log4j 2 Java library. It adversely impacted the digital domain and security systems worldwide. The vulnerability, when exploited, permited remote code execution on the vulnerable server with system-level privileges.

Log4j is a highly configurable logging mechanism for Java (“log4j”) that is used for documentation and debugging. Although originally developed for the Apache web server, it has been used part of many commercial applications, including network monitoring tools and even games such as Minecraft. The exploit was a combination of the Java code that contains different logging functions (typically error(), warn(), info(), debug(), . . . ) and a configuration file. The configuration file specifies which information shall be added to the log-file, the associated format, and how to “interpret” the logged data.

The security risk was that the logging mechanism was by default configured in a way such that it interpreted the logged data, and that the logged data that the user entered could be used to attack the server. For example if a user were to enter into the name field of a html-page instead of his name a “delete .” command, along with certain escape sequences, it might cause huge damage on the server — if this data were logged from the software and interpreted from the configuration file.

Data Property involved: Integrity.

Links:

© 2025 Mission Critical Applications Limited. Company number 3838464.