log4shell
Safeguard articles tagged "log4shell" — guides, analysis, and best practices for software supply chain and application security.
35 articles
Finding vulnerable code hidden inside shaded and uber JARs
JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.
Log injection attacks and how to stop forging your own audit trail
One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.
The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection
Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.
Log4Shell Explained: Root Cause and Complete Remediation
Log4Shell (CVE-2021-44228) hit CVSS 10.0 and is still exploited today. Here's how the attack works, why it lingers, and how to remediate it completely.
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
Transitive Dependency Risk Explained: The Code You Never Chose
Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.
Log4j Security Guide (2026)
Log4j is the most widely deployed Java logging library — and the source of Log4Shell, the defining supply-chain vulnerability of the decade. Here is how to run it safely in 2026.
OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide
Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.
Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend
CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.
Log4j Log4Shell vulnerability explained CVE-2021-44228
Log4Shell (CVE-2021-44228) let attackers gain RCE via a single logged string. Here's the CVSS/EPSS/KEV context, timeline, and how to remediate it.
What Is a Software Supply Chain Attack? Explained
A software supply chain attack compromises the code, tools, or pipeline your software depends on — not the product itself. Here is how it works and how to defend.
Log4Shell remediation cheat sheet
A practical, no-fluff Log4Shell remediation cheat sheet: affected versions, CVSS/EPSS/KEV context, timeline, and the exact steps to close CVE-2021-44228.