0-day exploit in log4j resulting in remote code execution by logging a string.

Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package

Update

Also log4j 2.15 is vulnerable

Update to 2.16

• https://nvd.nist.gov/vuln/detail/CVE-2021-45046
• https://github.com/advisories/GHSA-7rjr-3q55-vv33

Details

Scan your project with Owasp’s dependency-check to spot the vulnerability: add this

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>6.5.0</version>
</plugin>

run org.owasp:dependency-check-maven:check

Java version 8u191 mitigates the vulnerability by not executing the remote code, but the call still happens.

Add -Dlog4j2.formatMsgNoLookups=true to disable the vulnerability on log4j 2.10-2.14 if upgrading to 2.15 is not possible.

Log4j v1 may be impacted as well: github.com

Updating from v1 to the latest v2 may be as simple as removing/excluding v1 and adding v2 + 1.2-api logging.apache.org

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.15.0</version>
</dependency>
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-1.2-api</artifactId>
  <version>2.15.0</version>
</dependency>