Hackers can leverage the initial vulnerability (CVE-2021-44228) to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 and higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control. This is a RCE (remote code execution) attack.
Later the security community learned the Log4Shell vulnerability fix still left Log4j open to attackers. This second vulnerability (CVE-2021-45046) allows threat actors to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DoS) attack. The Apache Software Foundation mitigated this vector by completely removing message lookups feature with their Log4j v2.16.0. Sumo Logic proactively released an Installed Collector with v2.16.0 on Dec. 16th, 2021.
On Dec. 18th, the NVD published a 3rd vulnerability (CVE-2021-45105) since the Log4j v2.16.0 didn’t protect from uncontrolled recursion from self-referential lookups, allowing an attacker to cause a DoS. Sumo Logic proactively released an Installed Collector with v2.17.0 on Dec. 19th, 2021.
On Dec. 28th, the NVD published a 4th vulnerability (CVE-2021-44832) as Log4j v2.17.0 was vulnerable to an RCE attack if an attacker has control of the target LDAP server. Sumo Logic proactively released an Installed Collector with Log4j v2.17.1 on Dec. 29th, 2021.