Inside the Log4j2 vulnerability (CVE-2021-44228)

On December 9, 2021, a severe vulnerability in the Java-based logging package Log4j was disclosed. This flaw allows an attacker to execute code on a remote server, known as Remote Code Execution (RCE). The vulnerability, CVE-2021-44228, affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1, and is patched in 2.16.0. This issue has been deemed one of the most serious vulnerabilities on the internet since Heartbleed and ShellShock due to the widespread use of Java and Log4j. Cloudflare has implemented firewall rules to protect its clients from this vulnerability, while also ensuring that their systems are not vulnerable or have mitigated the issue. Companies using Java-based software with Log4j should immediately apply mitigation techniques to protect their systems.