UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website.
Please be advised that the Java zero-day, dubbed Log4Shell, is being actively exploited. This critical vulnerability affects the Java utility Log4j versions 2.0 – beta9 to 2.14.1, and is being tracked as CVE-2021-44248. If this bug is successfully exploited, attackers could trick a server into downloading malicious code via unauthenticated remote code execution (RCE). This vulnerability could also be used to modify data on the server, learn about our internal network, exfiltrate data from other network servers, or open additional backdoors for spyware and malware.
Admins are advised to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the suggested mitigations immediately.