A very serious vulnerability has been discovered in the popular Java-based logging package Log4j. This vulnerability allows an attacker to execute code on a remote server; this is known as Remote Code Execution (RCE). Due to the widespread use of Java and Log4j, this is probably one of the most serious vulnerabilities on the Internet since Heartbleed and ShellShock.
The perpetrators of these two botnets (a network of infected computers) seek to compromise devices and servers to add them to their network of computers under their control in order to distribute malware to mine cryptocurrencies and carry out DDoS (denial of service) attacks.
What is Log4j Log4j?
Log4j is an open source developed in Java
En CVE-2021-44228 and affects Log4j version 2 between versions 2.0-beta-9 and 2.14.1. It is patched in 2.16.0.
It allows software developers to write log messages, the purpose of which is to record a particular transaction at runtime.
Log4j allows you to filter messages based on their importance. Output configuration and message granularity is done at runtime using external configuration files.
If your company uses Java-based software that uses Log4j you should immediately read the section on how to mitigate and protect your systems before reading the rest.
How to mitigate CVE-2021-44228
To mitigate this, the following options are available (see the warning by Apache advisory here):
- Upgrade to Log4j v2.16.0
- If you are using Log4j v2.10 or higher, and you cannot upgrade, then set the property
log4j2.formatMsgNoLookups=true
In addition, an environment variable can be set for these same affected versions
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
- Or remove the JndiLookup class from the classpath. For example, you can run a command like:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
to remove the class from the log4j core.
If you have any questions about the process, please do not hesitate to contact our security specialists.
We can accompany you in your end-to-end projects. Let's work together.
