Attackers are actively exploiting a critical vulnerability in Apache Log4j, a logging library that's used in potentially millions of Java-based applications, including web-based ones. Organizations should immediately review if their apps, especially the publicly accessible ones, use the library and should implement mitigations as soon as possible.
A proof-of-concept exploit for the vulnerability, now tracked as CVE-2021-44228, was published on December 9 while the Apache Log4j developers were still working on releasing a patched version. Attacks started soon after, making the flaw a zero-day (unpatched) issue at the moment of exploitation. Apache has since released Log4j 2.15.0 which includes a fix.