The Log4j Incident Explained

What was wrong, how it was fixed, what we can learn

On 9 December 2021, the Log4j vulnerability was discovered by a member of the Alibaba Security Team creating a shockwave in the Java world and the entire Tech industry.

While engineers, DevOps and security experts rushed trying to mitigate and prevent the exploitation, the Log4j committers released a patch pretty quickly, followed soon after by other fixes as the scope of the problem became clear and understood.

In this blog post I will look at the following:

• what is Log4Shell: a look at the vulnerable code and how to exploit it
• solutions: present the (earlier) workarounds put in place and the (later) source code corrections applied
• secure logging: recap some important Logging best practises
• Open Telemetry: application logging with Open Telemetry

Photo by Compare Fibre on Unsplash

Log4Shell

Log4Shell (CVE-2021–44228) is the Log4j vulnerability published on 10 Dec 2021 which allows malicious attackers (crafting specific text for logging) to trigger arbitrary code loaded from external servers. These cunningly crafted strings take advantage of the JNDI feature (!?) to invoke external content and can lead to DoS attacks and/or extraction of…