History

#Log4Shell#Java#dependencies#CVE

Log4Shell (CVE-2021-44228) — the night the world feared a bug it couldn't even confirm it had

In December 2021, Log4j had a CVSS 10.0 RCE. The real terror: being affected through a library you didn't know you used (transitive dependencies). How logging became an attack vector, and the lessons: SBOM, machine-monitoring, fast patching.

Published 2026-06-07 Updated 2026-06-07 4 min read

Revisiting a landmark event — not to reproduce the attack, but for the lessons that still apply to your operations.

2021/12

disclosed

10.0

CVSS (worst class)

transitive

the heart of the fear

several

follow-up CVEs

What happened — a passive path becomes an attack vector

Log4j handled the mundane task of writing logs, and was practically everywhere in the Java world. The flaw: the library interpreted a certain pattern inside logged strings as something to "resolve by reaching out externally," and ended up executing externally specified code.

So an attacker who got a crafted string into "somewhere that gets logged" (a username, a header) could reach code execution. The shock of a passive act like logging becoming an attack path was profound.

Why "are we affected?" was so hard to answer

Most apps never installed Log4j directly. A framework or SDK pulled it in — a transitive dependency: a dependency of a dependency of a dependency. Without your "bill of materials," you couldn't even tell if you were affected.

Your app (one line in package.json)

└─▶

framework / SDK (direct dependency)

└─▶

a logging component (dependency of a dependency)

└─▶

Log4j ← the vulnerability (never installed directly)

You added one line, but dozens of 'dependencies of dependencies' sit beneath it. Log4j hid there.

The scariest part was 'you can't tell'

When you "can't tell if you use it," you can't even prioritize the response. Whether you held a bill of materials (SBOM) decided how that night went.

Timeline

2021-12-09–10
The flaw becomes widely known; the world scrambles to check "are we affected?"
right after
Emergency patching and stopgap mitigations roll out; exploit attempts spike.
afterward
Several follow-up CVEs (fixes to the fix) are published — "fixed once" wasn't the end.

Lessons that still apply

Have an SBOM (bill of materials)

Make visible what your app uses internally — npm ls / lockfiles / SBOM tools show what's actually running. Looking only at "what you installed directly" isn't enough.

Machine-monitor dependencies

The moment a CVE drops, know automatically if it applies (Dependabot / osv-scanner) — including transitive dependencies. Manual patrols always miss.

Make patching fast

Keep the muscle of "upgrade, verify, ship" warm for emergencies. See building dependency monitoring.

Follow the follow-up CVEs

After Log4Shell, fixes to the fix appeared. Don't stop at "fixed once" — track the follow-ups.

FAQ

QWhat was 'new' about Log4Shell's fear?

It exposed the danger of transitive dependencies at global scale: being vulnerable through a library used inside another library, even with no direct install. Without knowing your SBOM, you couldn't even tell if you were affected.

QWhy did logging become an attack vector?

Log4j interpreted certain text inside logged strings as something to 'resolve by reaching out externally'. An attacker only had to get a crafted string somewhere that gets logged (a username, an HTTP header), turning a passive logging path into code execution.

QHow do I avoid repeating it?

Three things: machine-monitor dependencies (Dependabot/osv-scanner), generate an SBOM to see what you actually use, and run an update process fast enough to patch quickly — and follow the follow-up CVEs (fixes to the fix).