Applies To: Developers/ System Administrators using Apache Log4j2
Do you manage or develop applications or services exposed to the Internet that uses Log4j?
Log4j is one of several Java logging frameworks. Remote entry points could be any application that accepts input using the log4j java software library, allowing an attacker to use and take control of services, including running arbitrary java code on a server. Apache Log4j2 is a critical exploitable vulnerability listed on the Cybersecurity and Infrastructure Security Agency (CISA) 'Known Exploited Vulnerabilities Catalog' as CVE-2021-44228.
The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."
Updated December 15, 2021: the Apache Log4j version 2.16.0 security update that address the CVE-2021-45046 vulnerability disables JDNI. An adversary can exploit this CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
CISA Apache Log4j Vulnerability Guidance https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
CISA Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Apache Log4j 2 https://logging.apache.org/log4j/2.x/
Github Software List of Impacted Applications https://github.com/cisagov/log4j-affected-db