As you may be aware, a zero-day vulnerability was discovered in Log4j, a Java-based logging utility that is part of Apache Logging Services Project. Deployed on millions of servers, this vulnerability can be exploited to allow for remote code execution and total system control on vulnerable systems.
This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as “Log4Shell” in various blogs and reports.
This post provides resources to help you understand the vulnerability and how to mitigate it: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592?s=09
Exploiting CVE-2021-44228 in Java logging library: https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability
Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228): https://www.fortiguard.com/threat-signal-report/4335/apache-log4j-remote-code-execution-vulnerability-cve-2021-44228
Recommended mitigation steps
First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available.
A new version of Log4j 2 has been released which reportedly resolves the issue: Version 2.15.0. Users with affected installations should consider updating this library at the earliest possible time.
Please note: the mitigation using Log4j version 2.15.0 only works when paired with and using Java 8. Users with earlier versions of Java (6 or 7) will need to apply and re-apply the temporary mitigations outlined below during reboots in certain scenarios, so this is not a long term solution unless the proper combination of Log 2.15.0+ and Java 8 are used.
In addition, there have been some various independent sources that have published potential temporary mitigation measures that involve changing configuration files.
- For versions >=2.10, users can set the system property log4j2.formatMsgNoLookups to true
- For versions >=2.10, also set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
- For 2.0-beta9 to 2.10.0, remove JndiLookup.class from class path: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
This blog relates to an ongoing investigation. We will update it with any significant updates. Should our investigation conclude that our customers may have been impacted, we will individually notify those customers proactively.