Log4Shell: Issue Overview and StackHawk Response to Log4j Remote Code Execution Vulnerability

On December 10, 2021, a critical vulnerability known as Log4Shell was discovered in the popular Java logging framework, Log4j, which is identified as CVE-2021-44228 and holds the highest criticality rating with a CVSS score of 10. This flaw, present in all versions up to 2.14.1, enables attackers to execute remote code on affected systems by exploiting the logging framework commonly used in Java applications such as Apache Struts 2, Solr, Druid, and Spring Boot. To mitigate this, users are advised to update to version 2.15.0 or later. StackHawk, a company providing security testing tools, clarifies that while their internal infrastructure does not use Log4j, their scanner HawkScan, built on the Zed Attack Proxy (ZAP), does use Log4j but has been updated to address the issue. The company has released a beta version of their updated scanner, emphasizing that their usual deployment practices minimize the risk of exposure to this vulnerability. StackHawk also suggests using Software Composition Analysis (SCA) tools and Out of Band Application Security Testing (OAST) to detect the presence of vulnerable Log4j versions and ensure effective remediation.