Apache Log4j's initial fix for Log4Shell proved incomplete, as version 2.15.0 remained vulnerable to CVE-2021-45046 under certain non-default but realistic configurations. Security reports said attackers could bypass the localhost-only JNDI restriction introduced in 2.15.0 with a crafted LDAP URI, enabling remote code execution or sensitive data exfiltration when lookups were enabled, specific Pattern Layout Context Lookup settings were used, or applications logged attacker-controlled input through Logger.printf and related paths.
Apache responded by hardening Log4j further in 2.16.0, disabling JNDI by default and requiring explicit opt-in for users who still needed it. Advisories from Snyk and others urged organizations to upgrade beyond 2.15.0 immediately, or remove the JndiLookup class from affected releases as a temporary mitigation, while the broader Log4j incident continued to evolve with later fixes for additional flaws including CVE-2021-45105 and CVE-2021-44832.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Following the re-evaluation of CVE-2021-45046, security guidance changed to recommend upgrading to Log4j 2.16.0, which disables JNDI lookups by default, or removing the JndiLookup class from affected earlier releases. This marked the effective replacement of 2.15.0 as the recommended remediation.
By December 17, 2021, new information showed that the issue tracked as CVE-2021-45046 had been underestimated as a low-severity denial-of-service flaw and could still permit arbitrary code execution in Log4j 2.15.0 under certain conditions. Reports noted the localhost-only JNDI restriction in 2.15.0 could be bypassed with a crafted LDAP URI.
Praetorian published research showing that Log4j 2.15.0 remained vulnerable to sensitive data exfiltration in some scenarios despite prior mitigations. This indicated that the initial fix for Log4Shell was incomplete.
Apache tracked a security hardening change in JIRA to disable JNDI by default after the fallout from CVE-2021-44228. The change was planned for Log4j 2.16.0, with JNDI requiring explicit opt-in via a JVM flag or environment variable.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
snyk.io
Open sourcepraetorian.com
Open sourceblog.cloudflare.com
Open sourcesecurity.snyk.io
Open sourceissues.apache.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.