A critical Apache Log4j utility zero-day exploit (CVE-2021-44228) was made public on December 9, 2021. This vulnerability results in remote code execution (RCE).
With this announcement, there is a patch to this vulnerability that is actively being exploited in the wild and therefore all organizations using Log4j should update to version 2.15.0 as soon as possible. The latest version of the Apache Log4j utility can be found on the Log4j download page.
If updating to the latest version is not immediately possible then customers can also mitigate exploit attempts by setting the system property “log4j2.formatMsgNoLookups” to “true”; or by removing the JndiLookup class from the classpath.
In all Log4j versions >= 2.0-beta9 and <= 2.14.1 JNDI features used in the configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. More specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
As of log4j 2.15.0, this behavior has been disabled by default.
More details on the Apache Log4j utility zero-day vulnerability can be found on the official Log4j security page.