Log4jShell vulnerability

  1. Kasperky article
  2. https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ with the following “news”:If you have previously used LOG4J_FORMAT_MSG_NO_LOOKUPS to mitigate the log4shell vulnerability, in certain conditions this will not be sufficient to protect your code from RCE. Refer to our mitigation guide for additional steps you can take to remediate the impact of Log4Shell
  3. Apache group released two fix in short delay, after  the second fix was found vulnerable to other attacks, a third fix (2.17.0) was released.