The maintainers of popular Java logging library Apache Log4j have rushed out a patch for a critical vulnerability that could lead to remote code execution (RCE) in numerous applications. The relative ease of exploitation, attackers’ ability to seize control of targeted servers, and the ubiquity of Log4j make for a serious situation.
An exploit for a critical zero-day vulnerability affecting Apache Log4j2 known as Log4Shell was disclosed on December 9, 2021. All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability. This vulnerability is actively being exploited in the wild.
1. How to fix:
Apache Log4j2 version 2.15.0 fixes this vulnerability. So you can update your Apache Log4j2 to avoid any security issue.
2. Fix Without updating Apache Log4j2:
If updating the version is not possible, the following mitigation can be applied:
- In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups to true or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
- For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
- For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath:
Sources:
CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell) | Qualys Security Blog
New Log4j Vulnerability CVE-2021-44228: Info and Remediation | WhiteSource (whitesourcesoftware.com)
