DEV Community

nabbisen
nabbisen

Posted on β€’ Edited on β€’ Originally published at scqr.net

2 2

About Apache Log4j RCE vulnerability (CVE-2021-44228)

Summary

  • Caused by Apache Log4j's JNDI ("Java Naming and Directory Interface") features.
  • How is it severe? The CVSS score is 10, the maximum, which means the highest risk.

Description

CVE-2021-44228 (named "log4shell" or "log4jam"): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.

It's because Log4j is related to JAVA, one of general-purpose programming languages and used widely, and also used by popular frameworks such as Spring, Struts, LogStash and Solr etc. internally.

To be a pity, it's straightforward and easier for attackers to exploit the CVE-2021-44228 (log4shell) vulnerability. As to services open to some network, especially Internet, the situation is really dangerous.

It has been being considered as a historical one, with being referred to Heartbleed and Shell shock (or Bashdoor), discovered in 2014.

Updating Log4j version to 2.15.0 is strongly recommended.

How to fix it

  • Strongly recommended to updated log4j version 2.15.0 (or later).

Second best and temporary ways to mitigate it

Well, When it's difficult to update #Log4j, they are possible:

  • Use WAF.
  • if ver >= 2.10.0: Disable JNDI lookup with system property (log4j2.formatMsgNoLookups) or environment variable (LOG4J_FORMAT_MSG_NO_LOOKUPS).
  • else: Remove JndiLookup from classpath.

This post is based on the tweets by my company.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (1)

Collapse
 
Sloan, the sloth mascot
Comment deleted
πŸ‘‹ Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay