Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3 and 2.3.1, are vulnerable to uncontrolled recursion caused by self-referential lookups during string interpolation. When Log4j interprets a crafted string that references attacker-controlled Thread Context Map (MDC) data in a recursive manner, lookup evaluation can recurse indefinitely. This can trigger a StackOverflowError and terminate the Java process. The issue affects configurations where non-default Pattern Layout and Context Lookup behavior permit attacker-influenced Thread Context Map values to be resolved. Apache fixed the flaw in Log4j 2.17.0 for the main branch, 2.12.3 for Java 7, and 2.3.1 for Java 6.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (5 hidden).
This repository is a defensive Log4Shell lab rather than a standalone offensive exploit drop, but it does contain working exploit components. The structure combines: (1) a vulnerable target container (`log4shell-app`, based on a public Spring Boot Log4j 2.14.1 image), (2) an nginx reverse proxy with the Coraza WAF and OWASP CRS plus custom Log4Shell rules, (3) an attacker container that builds and packages multiple JNDI exploitation toolkits, and (4) Suricata/Wazuh monitoring for network and SIEM visibility. The main exploit capability lives under `attacker/`. `attacker/exploit-classes/Exploit.java` is a malicious Java class intended to be loaded through a JNDI/LDAP reference. Its static initializer executes immediately on class load and performs proof-of-exploitation actions: OS-specific command execution to write a marker file, creation of `/tmp/log4shell-exploited.txt`, and an optional reverse shell routine that connects to `172.20.0.2:4444`. There is also a stubbed environment-information collection method. This makes the repo more than a detector: it includes an actual RCE payload class. `attacker/scripts/start-ldap-server.sh` operationalizes exploitation by launching one of three JNDI infrastructures: marshalsec, JNDI-Exploit-Kit, or rogue-jndi. These are configured to serve the malicious class or execute simple commands/callbacks. `attacker/scripts/test-payloads.sh` is a payload spray/test harness that sends many Log4Shell payload variants to the nginx proxy using common injection points such as `User-Agent` and `X-Forwarded-For`. It includes LDAP, RMI, DNS, nested-expression, env/sys fallback, Unicode, whitespace, and colon-dash obfuscation variants. This script is primarily for validation of WAF/IDS coverage, but it also demonstrates realistic attack strings. The rest of the repository is focused on detection and containment. `coraza/config/log4shell-rules.conf` defines custom Coraza rules for standard and obfuscated JNDI patterns, alternate protocols, JSON/XML body inspection, and anomaly-score blocking. `nginx/` contains a multi-stage Docker build that compiles libcoraza and the coraza-nginx module, installs OWASP CRS, and exposes HTTP/HTTPS reverse proxying to the vulnerable app. `suricata/rules/log4shell.rules` adds network signatures for inbound JNDI payloads and outbound LDAP/RMI/DNS/HTTP callbacks that would indicate successful exploitation. Overall purpose: provide an isolated lab to demonstrate the full Log4Shell attack chain and, more importantly, how nginx+Coraza and Suricata can detect/block it. Because the repository includes a real malicious Java payload and scripts to stand up LDAP/JNDI exploit servers, it should be classified as a valid exploit-capable lab with operational payloads, not merely documentation or a pure detection script.
This repository is a minimal proof-of-concept payload set for CVE-2021-45105 affecting Apache Log4j 2. It does not contain executable exploit code, scripts, or framework integration; instead it consists of five text files containing progressively larger recursive lookup expressions intended to be copied into attacker-controlled input that will later be logged by a vulnerable application. The file naming convention reflects payload depth/size: 1, 10, 100, 1000, and 10000 nested expansions. There are no outbound network calls, hardcoded URLs, IPs, domains, filesystem targets, or registry paths in the repository. The exploit capability is denial of service only: if one of these strings is processed by a vulnerable Log4j instance, recursive evaluation can trigger stack exhaustion or similar failure. Structurally, the repository is just a payload corpus for testing or demonstrating the vulnerability severity at different recursion depths.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Apache Log4j vulnerability referenced alongside Log4Shell in the content (no additional details provided).
A related Apache Log4j denial-of-service vulnerability affecting Log4j 2.16.0.
A denial-of-service vulnerability in Apache Log4j 2 fixed in version 2.17.0.
Apache Log4j 2 denial-of-service via recursive lookups causing StackOverflowError and process termination under certain non-default logging configurations.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.