On the 10th of December, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as critical with a CVSS score of 10 (the highest score possible). The vulnerability was discovered by Chen Zhaojun, a member of Alibaba’s Cloud Security team.

All current versions of log4j 2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.16.0 or later.

Many of the application frameworks that are found within the Java ecosystem use this logging framework by default. In particular, Apache Struts 2, Apache Solr, and Apache Druid are all affected by this vulnerability. Apart from those, Apache Log4j is also used by many Spring and Spring Boot applications, so we recommend you check your applications and make sure they’re updated to the latest version.