A remote code execution vulnerability in Apache Log4j2 was discovered on the Internet on December 9, 2021, and is actively being exploited in the wild. In Apache Log4j2, attackers can create customized requests to execute remote code. Users are recommended to examine related vulnerabilities as soon as possible due to the wide spectrum of impact of this issue.
If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.
Apache Log4j is a logging tool written in Java. It was created by Ceki Gülcü and is part of the Apache Software Foundation’s Apache Logging Services project. Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over Log4j 1.x. This also incorporates many of the improvements found in Logback while also correcting some architectural flaws.
This vulnerability has been discovered to be susceptible to cloud services like Steam and Apple iCloud, as well as apps like Minecraft. Anyone that uses Apache Struts is most certainly at risk. Similar vulnerabilities have been used in other data breaches, such as the 2017 Equifax data leak. Many Open-Source projects, such as the Paper Minecraft server, have already begun patching their log4j usage.
Affected versions
All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 are affected by this vulnerability.
Mitigation
To address the vulnerability, a new Apache Log4j version has been released.
Log4j 1.x mitigation
-
- Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation
- Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
For more information, please refer to the Apache Log4j security advisory.
Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
Qualys Detection
Qualys customers can scan their devices with QID 376157, 730297, and 376160 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://github.com/tangxiaofeng7/apache-log4j-poc
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/