Log4Shell – Unauthenticated RCE 0-day exploit
A vulnerability is present in all applications embedding Log4j (ver. 2.0 to 2.14.1.) for audit logging feature. Mainly Apache stack but also applications like Elastic search, Redis, etc. The vulnerability is based on forcing applications to log a specific string which forces vulnerable system to download and run malicious script from attacker-controlled domain.
According to security researchers, apps and services across the globe has already been actively scanned for vulnerable versions of Log4j by malicious actors. Some Atos products may propose the vulnerable component in their delivered distribution.
See attached Security Bulletin for more details.