Zero-day exploit for Log4j Java library

Zero-Day Exploit

Ongoing scans, exploitation of vulnerable systems

The bug, now tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam, is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.

It was reported by Alibaba Cloud's security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

What can I do? 

Patch and mitigation are available

Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021-44228 RCE vulnerability.

The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.

Those using the library are advised to upgrade to the latest release ASAP seeing that attackers are already searching for exploitable targets.

Print Article

Details

Article ID: 137227
Created
Fri 12/10/21 1:18 PM
Modified
Fri 12/10/21 1:18 PM
Environment
Security