Security News > 2021 > December > Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely-used logging utility

An unauthenticated remote code execution vulnerability in Apache's Log4j Java-based logging tool is being actively exploited, researchers have warned after it was used to execute code on Minecraft servers.
The Apache Foundation published a patch for the critical-rated vuln earlier today.
Its patch notes confirmed: "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."
Immersive Labs' application security specialist Sean Wright told The Register that while immediate patches are available, it may be better to mitigate now and wait for a stable candidate.
"While there are release candidates for the patches, they are not stable releases and can carry their own risks, so apply the temporary remediation until you can apply the patch from a stable version."
"Updating the log4j-core.jar to version 2.15.0, which was released today, fixes the problem. But we are now in December and many online services are going to be in a change freeze at this point in time - meaning the business won't tolerate downtime to patch the issue. It will be interesting if this is seen to propagate into retail."
News URL
Related news
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)