In mid-December 2021, critical vulnerability CVE-2021-44228 [MIT2021] ('Log4Shell') and two more vulnerabilities (CVE-2021-45046 and CVE-2021-45105) in the widely used Java library Log4j initially led the BSI to assess the threat landscape as extremely critical. In the BSI’s view, this situation has now improved considerably. The BSItherefore reduced the alert level of its Cyber security warning (CSW 2021-549177-1232) on 12.01.2022.

In the meantime, a number of software manufacturers have published patches or workarounds for their products. The vulnerability was not exploited as expected in Germany over the Christmas period. However, there are signs that it was abused elsewhere in the world. By now, companies and public authorities should have installed the patches, incorporated the workarounds and checked their networks for possible exploitation during the vulnerable period.

Organisations must continue to monitor their networks more closely for any anomalies.

Detection und reaction

The Arbeitspapier Detektion und Reaktion Log4j Schwachstelle, Version 1.4 compiles in-depth information about the currently known vulnerabilities, potential mitigation measures and appropriate detection measures. It is continually updated in light of new findings.

Previous reports from the BSI

Version 1.2: Kritische "Log4Shell" Schwachstelle in weit verbreiteter Protokollierungsbibliothek Log4j (12 January 2022)
To improve clarity and readability, all the relevant findings were consolidated into one CSW on 14 December 2021. This CSW, numbered 2021-549177-1032, therefore replaces.

Version 1.5: Kritische Schwachstelle in log4j veröffentlicht
(This Version 1.5: Critical vulnerability revealed in Log4j (PDF, 211 KB, file is (mostly) barrier-free; opens in a new window) This CSW, numbered 2021-549032-1432, will not be updated further following the 1.5 update from 17 December 2021.)

Press conference held on 13 December 2021, 3 p.m. (Tagesschau news website stream)

Press release from 11 December 2021

Recommendations for consumers

'Log4Shell' vulnerability threatens systems worldwide (in german speech available)

Bulletin from CERT-Bund

The Warning and Information Service (WID) of CERT-Bund :maintains a record of the software products affected by current vulnerabilities and weaknesses, as well as the corresponding sources. These bulletins are primarily intended for IT employees in the Federal Administration, KRITIS companies and CERT s, but any citizen can subscribe to them. Since not all the information is verified, it may be incomplete or incorrect

The latest bulletin about Log4j:.

Further information and personalised subscriptions are available on the Warning and Information Service (WID). website.