Security Advisory - CVE-2021-44228 | Apache Log4j utility Remote Code Execution Vulnerability

Description

Apache log4j 2 is an open source Java-based logging framework, which is leveraged within numerous Java applications around the world. Compared with the original log4j 1.X release, log4j 2 addressed issues with the previous release and offered a plugin architecture for users. On Aug. 5, 2015, log4j 2 became the mainstream version and all of the previous version log4j users were recommended to upgrade to log4j 2. Apache log4j 2 is widely used in many popular software applications, such as Apache Struts, ElasticSearch, Redis, Kafka and others. On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems.

List of Affected Software

• Apache Struts

• Apache Solr

• Apache Druid

• Apache Flink

• ElasticSearch

• Flume

• Apache Dubbo

• Logstash

• Kafka

• Spring-Boot-starter-log4j2

Affected Version

• Apache Log4j 2.x <= 2.15.0-rc1

Mitigation

This vulnerability is actively being exploited and anyone using Log4j should update to version 2.15.0 as soon as possible. The latest version can already be found on the Log4j download page.

Note:

• For more information on Protected view you can refer to the link mentioned below:

• https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

• https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/

• https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/

• With the official Apache patch being released, 2.15.0-rc1 was initially reported to have fixed the CVE-2021-44228 vulnerability.

• However, a subsequent bypass was discovered. A newly released 2.15.0-rc2 version was in turn released, which protects users against this vulnerability.

#mitigation #apachelog4j #securityadvisory #vulnerabilities #patch #cybersecurity