{"id":73009,"date":"2021-12-29T11:52:00","date_gmt":"2021-12-29T16:52:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=73009"},"modified":"2025-01-03T10:36:16","modified_gmt":"2025-01-03T08:36:16","slug":"apache-log4j-rce-variants-and-updates","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/","title":{"rendered":"APACHE LOG4J RCE &#8211; Variants and Updates"},"content":{"rendered":"<p class=\"has-text-align-center\"><strong><em>This is the MOST RECENT update to our previous research blog: <\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong><em><a href=\"https:\/\/checkmarx.com\/blog\/apache-log4j-remote-code-execution-cve-2021-44228\/\" target=\"_blank\" rel=\"noreferrer noopener\">APACHE LOG4J REMOTE CODE EXECUTION \u2013 CVE-2021-44228<\/a><\/em><\/strong><\/p>\n\n\n\n<p>On December 9th the most critical zero-day exploit in recent years was disclosed, affecting most of the biggest enterprise companies. This critical 0-day&nbsp;<a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\">exploit was discovered<\/a>&nbsp;in the extremely popular Java logging library&nbsp;<a href=\"https:\/\/mvnrepository.com\/artifact\/log4j\/log4j\" target=\"_blank\" rel=\"noreferrer noopener\">log4j&nbsp;<\/a>which allows RCE (Remote code execution) by logging a certain payload.<\/p>\n\n\n\n<p>The vulnerability was given the nickname \u201cLog4Shell\u201d, which has a CVSS (Common Vulnerability Scoring System) score of 10 &#8211; the highest risk possible and was published by&nbsp;<a href=\"https:\/\/github.com\/advisories\/GHSA-jfh8-c2jp-5v3q\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub advisory<\/a>&nbsp;with a critical severity level.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\"><strong>EXPLOIT SCOPE<\/strong><\/h2>\n\n\n\n<p>Log4Shell was being exploited for a few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, it is estimated to have affected over a million machines.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\"><strong>RELEVANT CVES<\/strong><\/h2>\n\n\n\n<p>Since its disclosure, and up to the creation of this article, five CVEs (Common Vulnerabilities and Exposures) concerning Log4j2 and Log4j1 were published:<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\"><strong>LOG4J2:&nbsp;CVE-2021-44228<\/strong><\/h2>\n\n\n\n<p>Log4j2 versions 2.0-beta9 through 2.15.0 (excluding 2.12.x after 2.12.1) are vulnerable to remote code execution using its LDAP (Lightweight Directory Access Protocol) JNDI parser. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. The initial vulnerability designated&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-44228<\/a>&nbsp;was supposedly fixed in versions 2.12.2 and 2.15.0. The fix includes disabling JNDI by default and by restricting LDAP access via JNDI in log4j2\u2019s named object lookup and JNDI manager<\/p>\n\n\n\n<p>This vulnerability has received the highest CVSS score possible \u2013&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H&amp;version=3.1\" target=\"_blank\" rel=\"noreferrer noopener\">10<\/a>&nbsp;and it affects the following packages, which are available through Maven Package Manager:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>org.apache.logging.log4j:log4j-api<\/li>\n\n\n\n<li>org.apache.logging.log4j:log4j-core<\/li>\n<\/ul>\n\n\n\n<p>notes &#8211; The vulnerability itself is in log4j-core. The Logger class itself, which is used to trigger the exploit, as used in POCs (proof of concept) by calling Logger.error(), is defined in log4j-api. To detect such a usage with the exploitable path, and to secure our customers as much as possible, we added the Logger&#8217;s methods as vulnerable methods (which eventually trigger the vulnerability according to the research).&nbsp;<em>This approach is reflected in Github\u2019s Advisory page for this vulnerability<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\"><strong>LOG4J2:&nbsp;CVE-2021-45046<\/strong><\/h2>\n\n\n\n<p>On December 11<sup>th<\/sup>, 2021, it was discovered that CVE-2021-44228\u2019s fix was incomplete in certain non-default configurations, which could allow attackers with specifically crafted malicious input data using a JNDI lookup pattern resulting in information leak and RCE in some environments and LCE (Local Code Execution) in all environments. RCE is also possible in some macOS environments. This complementary vulnerability was designated&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45046\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-45046<\/a>&nbsp;and was fixed in versions 2.12.2 and 2.16.0 by disabling JNDI by default, and by removing message Lookup.<\/p>\n\n\n\n<p>As this vulnerability was initially regarded as allowing for only DOS (Denial of Service) attacks, the CVSS score assigned for this vulnerability was 3.7. Since it was later discovered as a much more severe threat (RCE), the CVSS score was raised to <a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H&amp;version=3.1\" target=\"_blank\" rel=\"noreferrer noopener\">9.0<\/a>.<\/p>\n\n\n\n<p>This vulnerability is an extension of CVE-2021-44228, thus the affected packages are the same.<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>Mitigation options for CVE-2021-44228 and CVE-2021-45046:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users requiring Java 8 (or later) should upgrade to release 2.16.0 or above.<\/li>\n\n\n\n<li>Users requiring Java 7 should upgrade to release 2.12.2 or above.<\/li>\n\n\n\n<li>Remove the JndiLookup class from the classpath:<\/li>\n<\/ul>\n\n\n\n<p>zip -q -d log4j-core-*.jar org\/apache\/logging\/log4j\/core\/lookup\/JndiLookup.class<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\"><strong>LOG4J2:&nbsp;CVE-2021-45105<\/strong><\/h2>\n\n\n\n<p>It was discovered on December 15<sup>th<\/sup>, 2021, that log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.x <a href=\"https:\/\/github.com\/apache\/logging-log4j2\/commit\/ff844c0a4d8eb4afe260494be1c2dc1b52cbf50d\" target=\"_blank\" rel=\"noreferrer noopener\">from 2.12.3<\/a>) is vulnerable to DOS attacks, since it does not protect from uncontrolled infinite recursion of self-referential lookups. These in turn result in a Stack Overflow error that will terminate the process. This vulnerability was published at NVD on December 18<sup>th<\/sup>, 2021, under <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45105\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-45105<\/a> and was fixed in version 2.17.0 by fixing string substitution recursion and limiting JNDI to only java protocol. According to GitHub Advisory and previous fixes for log4Shell\u2019s variants, the fix for Java7 users should be released in <a href=\"https:\/\/github.com\/apache\/logging-log4j2\/commit\/ff844c0a4d8eb4afe260494be1c2dc1b52cbf50d\" target=\"_blank\" rel=\"noreferrer noopener\">upcoming version 2.12.3<\/a>. The CVSS score assigned to it by Apache is <a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H&amp;version=3.1\" target=\"_blank\" rel=\"noreferrer noopener\">5.9<\/a>.<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>Mitigation options for CVE-2021-45105<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users requiring Java 8 (or later) should upgrade to release 2.17.0 or above.<\/li>\n\n\n\n<li>Users requiring Java 7 should upgrade to release 2.12.3 or above.<\/li>\n\n\n\n<li>Users requiring Java 6 should upgrade to release 2.3.1 or above.<\/li>\n\n\n\n<li>In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).<\/li>\n\n\n\n<li>in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\"><strong>LOG4J2:&nbsp;CVE-2021-44832<\/strong><\/h2>\n\n\n\n<p>The Checkmarx Security Research Team <a href=\"https:\/\/checkmarx.com\/blog\/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element\/\" target=\"_blank\" rel=\"noreferrer noopener\">publicly disclosed<\/a> a new vulnerability they recently discovered on December 28<sup>th<\/sup>, 2021. This vulnerability allows for ACE (Arbitrary Code Execution) in versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). <\/p>\n\n\n\n<p>When an attacker gains control over the logging configuration&nbsp;(via <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\" target=\"_blank\" rel=\"noreferrer noopener\">MITM<\/a> attack since there is a feature to load a remote config file in log4j) can construct a malicious configuration using JDBC Appender with a data source referencing a JNDI URI, which can then execute remote code.<\/p>\n\n\n\n<p>This vulnerability was fixed in version 2.17.1 by limiting JNDI data source names to the java protocol and it was assigned the CVSS score of \u2013&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:H\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H&amp;version=3.1\" target=\"_blank\" rel=\"noreferrer noopener\">6.6,<\/a> a slightly lower severity score because it is more complex to exploit than previous log4Shell variants.&nbsp;<strong> <\/strong>CVE-2021- 44832 solely affects the log4j-core package.<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>Mitigation options for CVE-2021-44832<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users requiring Java 8 (or later) should upgrade to release 2.17.1 or above.<\/li>\n\n\n\n<li>Users requiring Java 7 should upgrade to release 2.12.4 or above.<\/li>\n\n\n\n<li>Users requiring Java 6 should upgrade to release 2.3.2 or above.<\/li>\n\n\n\n<li>In Prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.<\/li>\n<\/ul>\n\n\n\n<p><strong>Important note for log4j2 vulnerabilities: <\/strong>only the log4j-core JAR file is impacted by these vulnerabilities. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted. Apache Log4j is the only Logging Services subproject affected. Other projects like Log4net and Log4cxx are not impacted by these vulnerabilities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\"><strong>LOG4J1: CVE-2021-4104<\/strong><\/h2>\n\n\n\n<p>Disclosed on December 13<sup>th<\/sup>, 2021, and published on December 14<sup>th<\/sup>, 2021, on NVD under&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-4104\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-4104<\/a>, it was discovered that log4j1 was also vulnerable for log4Shell vulnerability &#8211; previously believed to only affect log4j2.<\/p>\n\n\n\n<p>The root cause of this vulnerability is in the org.apache.log4j.net.JMSAppender class that is vulnerable to deserialization of untrusted data when the attacker has&nbsp;<em>Write<\/em>&nbsp;access to the Log4j configuration. The attacker can provide malicious payloads to the configuration parameters causing JMSAppender to perform JNDI requests that result in remote code execution. This affects non default configurations of Log4j 1.2 since the JMSAppender configuration is disabled by default.<\/p>\n\n\n\n<p>The CVSS score assigned for this vulnerability is&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:H\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H&amp;version=3.1\" target=\"_blank\" rel=\"noreferrer noopener\">6.6<\/a>, which is lower than CVE-2021-44228 since attacker must have write access to log4j configuration to exploit.<\/p>\n\n\n\n<p>The vulnerability affects the&nbsp;<strong>log4j:log4j<\/strong>&nbsp;package, which is available through Maven Package Manager:<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>Mitigation options for CVE-2021-4104:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users should upgrade to Log4j2, either 2.12.4, 2.3.2, 2.17.1, or above, as it addresses numerous other issues from the previous versions.<\/li>\n\n\n\n<li>Ensure to not expose to untrusted callers any mechanism that might allow access to JMSAppender class or make any changes and configuration to instances of it.<\/li>\n\n\n\n<li>Comment out or delete the JMSAppender in log4j configuration if it is used<\/li>\n\n\n\n<li>Delete the JMSAppender classpath:<\/li>\n<\/ul>\n\n\n\n<p>&nbsp;zip -q -d log4j-*.jar org\/apache\/log4j\/net\/JMSAppender.class<\/p>\n\n\n\n<p><strong>Important note: <\/strong>Apache Log4j 1.2 reached end of life in August 2015.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-8\">Detecting Log4Shell with Checkmarx SCA<\/h2>\n\n\n\n<p><a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\" target=\"_blank\" rel=\"noreferrer noopener\">Checkmarx SCA<\/a> provides fast and easy detection of the above mentioned Log4Shell vulnerabilities in open-source dependencies. The following screenshots display our SCA scan results of code with vulnerable 3<sup>rd<\/sup> party dependencies.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/MicrosoftTeams-image-2-1024x437-1.png\" alt=\"\" class=\"wp-image-94442\"><\/figure>\n<\/div>\n\n\n<p class=\"has-text-align-center has-normal-font-size\"><strong>Figure 1 &#8211; SCA&#8217;s overview page, with a list of detected packages and risks<\/strong><\/p>\n\n\n\n<p>Today, it\u2019s clear. Software Composition Analysis (SCA) solutions are a requirement for organizations that consume open-source software. Checkmarx SCA enables your organization to address open-source security issues earlier in the SDLC to identify and manage risk more effectively.<\/p>\n\n\n\n<p>To learn more about Checkmarx SCA, you can request a live demo <a href=\"https:\/\/checkmarx.com\/request-a-demo\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>, or download our Ultimate Guide to SCA <a href=\"https:\/\/info.checkmarx.com\/ultimate-guide-software-compositon-analysis-ebook\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>This is the MOST RECENT update to our previous research blog: APACHE LOG4J REMOTE CODE EXECUTION \u2013 CVE-2021-44228 On December 9th the most critical zero-day exploit in recent years was disclosed, affecting most of the biggest enterprise companies. This critical 0-day&nbsp;exploit was discovered&nbsp;in the extremely popular Java logging library&nbsp;log4j&nbsp;which allows RCE (Remote code execution) by [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":73110,"template":"","zero-category":[1067,1104],"zero-tag":[1072,1068,1107,1075,1073,1070,1108],"class_list":["post-73009","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-technical-blog","zero-tag-awareness","zero-tag-checkmarx-security-research-team","zero-tag-cxsca","zero-tag-developer","zero-tag-english","zero-tag-open-source-security","zero-tag-sca"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>APACHE LOG4J RCE - Variants and Updates - Checkmarx.com<\/title>\n<meta name=\"description\" content=\"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"APACHE LOG4J RCE \u2013 Variants and Updates\" \/>\n<meta property=\"og:description\" content=\"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-03T08:36:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/apache-log4j-rce.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"631\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"APACHE LOG4J RCE \u2013 Variants and Updates\" \/>\n<meta name=\"twitter:description\" content=\"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/apache-log4j-rce.png\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/\",\"name\":\"APACHE LOG4J RCE - Variants and Updates - Checkmarx.com\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png\",\"datePublished\":\"2021-12-29T16:52:00+00:00\",\"dateModified\":\"2025-01-03T08:36:16+00:00\",\"description\":\"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png\",\"width\":1200,\"height\":631},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"APACHE LOG4J RCE - Variants and Updates - Checkmarx.com","description":"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/","og_locale":"en_US","og_type":"article","og_title":"APACHE LOG4J RCE \u2013 Variants and Updates","og_description":"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.","og_url":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2025-01-03T08:36:16+00:00","og_image":[{"width":1200,"height":631,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/apache-log4j-rce.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_title":"APACHE LOG4J RCE \u2013 Variants and Updates","twitter_description":"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.","twitter_image":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/apache-log4j-rce.png","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/","url":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/","name":"APACHE LOG4J RCE - Variants and Updates - Checkmarx.com","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png","datePublished":"2021-12-29T16:52:00+00:00","dateModified":"2025-01-03T08:36:16+00:00","description":"Log4Shell was being exploited for few days before its public disclosure. Furthermore, log4shell scanning attempts were discovered up to two weeks beforehand. Attackers were able to install cryptominers, create botnets, and steal sensitive data and system credentials. As of today, its estimated to have affected over a million machines.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/apache-log4j-rce-variants-and-updates\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/12\/log4j-1.png","width":1200,"height":631},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/73009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/29"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/73110"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=73009"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=73009"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=73009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}