The last few weeks have had a number of security teams responding to the Apache Log4j vulnerabilities, known as Log4Shell.
CVE-2021-44228 was the original problem, which had high impact. Subsequent findings followed closely with the Apache project apparently struggling to get updates out in response to findings.
There’s a lot to discuss here:
1. What is Log4Shell?
2. Why is it a significant problem?
3. How can it be exploited?
4. How easy are the exploits?
5. How do you protect against Log4Shell attacks?
6. Why is log4j so widely used?
7. What other attacks on log4j were found subsequent to -44228? Were they as serious?
Discuss what this is, what impact you have seen (if any), and what this says about open source.