About Apache Log4j RCE vulnerability (CVE-2021-44228)

created
( modified )
@scqrinc

Summary

  • Caused by Apache Log4j’s JNDI (“Java Naming and Directory Interface”) features.
  • How is it severe? The CVSS score is 10, the maximum, which means the highest risk.

Description

CVE-2021-44228 (named “log4shell” or “log4jam”): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.

It’s because Log4j is related to JAVA, one of general-purpose programming languages and used widely, and also used by popular frameworks such as Spring, Struts, LogStash and Solr etc. internally.

To be a pity, it’s straightforward and easier for attackers to exploit the CVE-2021-44228 (log4shell) vulnerability. As to services open to some network, especially Internet, the situation is really dangerous.

It has been being considered as a historical one, with being referred to Heartbleed and Shell shock (or Bashdoor), discovered in 2014.

Updating Log4j version to 2.15.0 is strongly recommended.

How to fix it

  • Strongly recommended to updated log4j version 2.15.0 (or later).

Second best and temporary ways to mitigate it

Well, When it’s difficult to update #Log4j, they are possible:

  • Use WAF.
  • if ver >= 2.10.0: Disable JNDI lookup with system property (log4j2.formatMsgNoLookups) or environment variable (LOG4J_FORMAT_MSG_NO_LOOKUPS).
  • else: Remove JndiLookup from classpath.

This post is based on the tweets by my company.


Comments or feedbacks are welcomed and appreciated.