The ubiquitous java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged. This could allow the attacker full control of the affected server.
Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.
This includes many applications and services written in Java. Systems and services that use the Java logging library, Apache log4j between versions 2.0 and 2.14.1
Read more…
Source: CERT NZ