https://adtmag.com/articles/2021/12/15/log4j-vulnerability.aspx

A critical-remote code execution (RCE) vulnerability (CVE-2021-44228) in the Apache Software Foundation's (ASF) Log4j, a widely used open-source Java logging library, is being leveraged by malicious actors in the wild.

The vulnerability, known as "Log4jShell," affects Log4j2 versions up to and including 2.14.1. According to the AWS security guide, the Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. (JNDI is an API that provides naming and directory functionality to applications written using Java.) An attacker with the ability to control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.