Safeguard
Tag

log4shell

Safeguard articles tagged "log4shell" — guides, analysis, and best practices for software supply chain and application security.

35 articles

Application Security

Finding vulnerable code hidden inside shaded and uber JARs

JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.

Jul 16, 20266 min read
Application Security

Log injection attacks and how to stop forging your own audit trail

One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.

Jul 15, 20265 min read
Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Security Guides

Log4Shell Explained: Root Cause and Complete Remediation

Log4Shell (CVE-2021-44228) hit CVSS 10.0 and is still exploited today. Here's how the attack works, why it lingers, and how to remediate it completely.

Jul 8, 20265 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Threat Research

Transitive Dependency Risk Explained: The Code You Never Chose

Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.

Jul 6, 20266 min read
Security Guides

Log4j Security Guide (2026)

Log4j is the most widely deployed Java logging library — and the source of Log4Shell, the defining supply-chain vulnerability of the decade. Here is how to run it safely in 2026.

Jul 5, 20266 min read
Security Guides

OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide

Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.

Jul 4, 20266 min read
Threat Research

Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend

CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.

Jul 2, 20266 min read
Vulnerability Analysis

Log4j Log4Shell vulnerability explained CVE-2021-44228

Log4Shell (CVE-2021-44228) let attackers gain RCE via a single logged string. Here's the CVSS/EPSS/KEV context, timeline, and how to remediate it.

Jul 2, 20267 min read
Threat Research

What Is a Software Supply Chain Attack? Explained

A software supply chain attack compromises the code, tools, or pipeline your software depends on — not the product itself. Here is how it works and how to defend.

Jul 1, 20267 min read
Vulnerability Analysis

Log4Shell remediation cheat sheet

A practical, no-fluff Log4Shell remediation cheat sheet: affected versions, CVSS/EPSS/KEV context, timeline, and the exact steps to close CVE-2021-44228.

May 6, 20267 min read
log4shell — Safeguard Blog