The log4shell vulnerability has been called one of the most significant cybersecurity vulnerabilities in recent history. For weeks after initial disclosure, companies around the globe scrambled to respond by patching their systems or by applying mitigating security measures to protect systems that could not be readily patched. There are many possible ways to detect if and where an organization is vulnerable to log4shell, each with advantages and disadvantages. Penetration testing in particular is one possible solution, though its results can be misleading if not interpreted in the proper context. Mitigation measures have varying degrees of success: Web Application Firewalls (WAFs) could be bypassed, whereas our analysis revealed that outbound network restrictions would have provided an effective protection given the rapidly evolving patch cycle. Ultimately, log4shell should change the way we look at web attack surfaces; doing so will ensure we can be better prepared for the next critical zero-day Remote Code Execution (RCE) vulnerability.
Index Terms—Log4j; Web Attack Surface; Penetration Testing