Understanding Log4Shell: vulnerability, attacks and mitigations

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution and environment variable leaking. The vulnerability was publicly disclosed last week and took the Java world by storm because of its widespreadness.

But what is the Log4Shell vulnerability? How does it work? What types of attacks are possible and which mitigations exist?

Watch this video for answers! Java champions Roy van Rijn and Bert Jan Schrijver dive into the vulnerability together by explaining its origin, looking at the inner workings and showing a live demo of exploiting and fixing a vulnerable Spring boot application. They also discuss what actions to take when you find out your application is (potentially) vulnerable and are ready to answer any remaining questions you have.

Roy van Rijn

Director at OpenValue Rotterdam, Java Champion, JavaOne Rockstar, founder of the Rotterdam JUG, public speaker, blogger, loves: agile, cryptography, math, algorithms!

Bert Jan Schrijver

Bert Jan is CTO at OpenValue and focuses on Java, software architecture, Continuous Delivery and DevOps. Bert Jan is a Java Champion, JavaOne Rock Star speaker, Duke's Choice Award winner and leads NLJUG, the Dutch Java User Group. He loves to share his experience by speaking at conferences, writing for the Dutch Java magazine and helping out Devoxx4Kids with teaching kids how to code. Bert Jan is easily reachable on Twitter at @bjschrijver.