Apache Log4j vulnerability actively exploited, impacting millions of Java-based apps. This vulnerability was discovered by Alibaba Cloud Security Team that impacts Apache Log4j 2 versions 2.0 to 2.14.1. There are reports from Log4j maintainers that the 1.x series may also vulnerable to this issue when using the JMS Appender class.
The weakness can prompt remote code execution on the basic servers that run weak applications and taking advantage of the issue requires no authentication.
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.
Why Apache Log4j2 vulnerability is so dangerous
This vulnerability has been tagged as CVE-2021-44228 which sits on a CVSS score of 10. Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response.
- Log4J versions 2.15.0 and prior are subject to a remote code execution vulnerability
- The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated
- Upgrading your Log4J version is the best easy solution to mitigate for this threat
Practically all editions of Log4j are powerless, beginning from 2.0-beta9 to 2.14.1.
What uses Apache Log4j?
Log4j is widely used with Apache software like Apache Struts, Solr, Druid, along with other technologies.
Mitigating Log4J Vulnerability
The easiest and best security strategy is to introduce the latest edition of the library, 2.15.0. You can download it from the official website.
In the event that for reasons unknown refreshing the library is preposterous, Apache Foundation suggests utilizing one of the alleviation techniques. If there should be an occurrence of Log4J variants from 2.10 to 2.14.1, they recommend setting the log4j2.formatMsgNoLookups framework property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS climate variable to true.
Also, please note that Log4J v1 is End Of Life (EOL) and will not receive any updates/patches for this vulnerability and hence should be updated immediately.