Skip to main content

Log4Shell Overview and Resources for Log4j Vulnerabilities

Take urgent action and proactively hunt for malicious Log4j behaviors

Defending Against the Log4j Vulnerabilities

The Log4Shell vulnerability was first found in the popular Apache Log4j 2. It’s a critical zero-day vulnerability that enables bad actors to perform remote code execution (RCE). Log4j is used in frameworks, such as Apache Struts 2, Apache Solr, Apache Druid and Apache Flink.

In many instances, system admins may not be aware that Log4j is being used in their environments, leaving thousands of applications and third-party services at risk. Additional Log4j vulnerabilities have continued to add complexity to response efforts for many organizations.

Log4Shell Attack Diagram Log4Shell Attack Diagram

Get Ahead With Splunk

evidence of log4j evidence of log4j

Review and update your log types ingested into Splunk, then look for evidence of Log4j activity using process execution logs or file creation logs.

github data in splunk github data in splunk

Use GitHub data in Splunk to find Log4j in your projects.

search for compromised hosts search for compromised hosts

Search for compromised hosts with Network Traffic and DNS query logs.

splunk security essentials splunk security essentials

Install Splunk Security Essentials and check out Splunk Research for detections to investigate and respond.

code execution from external hosts and sources code execution from external hosts and sources

Look for other signs of code execution from external hosts and sources.

expand monitoring expand monitoring

Expand monitoring across your IT infrastructure.

FEATURED VIDEO

Simulating, Detecting and Responding to Log4j Vulnerabilities

Watch this video to see how the Splunk Threat Research Team (STRT) replicated an attack chain using the Log4j vulnerability to compromise a host. 

This proof-of-concept enabled the STRT to develop detections and responses that you can start using in Splunk today.

How Splunk Is Responding to the Vulnerability

Splunk is reviewing for impact and remains focused on the fastest possible remediation for the CVE 2021-44228 and CVE-2021-45046.

Splunk SURGe
Supercharge your blue team with research-based content from security experts and timely technical guidance to stay ahead of threats.