Apache Log4j2 Remote Code Execution Vulnerabilities

10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

If the target service is network-reachable and logs attacker-controlled input, a crafted payload may trigger Log4j2 JNDI lookups and lead to remote code execution.

This issue may allow full server compromise, resulting in data exposure, service disruption, and potential lateral movement.

It impacts Java services and related components using vulnerable Log4j2 versions, especially 2.0-beta9 to 2.14.1.

Log4j2 has been upgraded to a vendor-recommended secure release (2.17.1 or later), high-risk lookup functionality has been disabled per official guidance, and full-scope threat hunting and emergency hardening have been completed.