Security Test: Log4Shell¶

Description¶

Default Severity:

Log4Shell is a serious flaw in a logging tool where an attacker can send specially crafted input that tricks the system into fetching and executing malicious code from a remote source. This happens because the logging library processes dynamic data without proper safeguards, allowing untrusted information to trigger actions like loading rogue code. That means if a developer unknowingly logs user input directly, it might become a backdoor for hackers, exposing systems to full compromise. The danger lies in the ease of execution and the potential for widespread impact if left unpatched, especially in systems that use logs as diagnostic data without filtering.

Reference:

https://cwe.mitre.org/data/definitions/829.html
- https://logging.apache.org/log4j/2.x/security.html

Configuration¶

Identifier: injection/log4shel

Examples¶

All configuration available:

checks:
  injection/log4shel:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-97`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`SI-10`
CWE	`829`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C`
CVSS Score	`9.8`