Log4j Zero-Day Vulnerability Identified

Monday 13th December 2021

Log4j Zero-Day Vulnerability Identified

THIS PAGE IS UP TO DATE AS OF 5TH JANUARY 2022

On December 10th a new critical vulnerability known as Log4J was exposed, allowing unauthenticated remote code execution. Click here for details.

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.2,3 This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.

Summary

  • A new critical remote code execution vulnerability in Apache Log4j2, a Java-based logging tool, is being tracked as CVE-2021-44228
  • Exploit proof-of-concept code is widely available, and internet-wide scanning suggests active exploitations
  • At the time of writing, exploit attempts lead to commodity cryptominer payloads. Bytes expects further opportunistic abuse by a wide variety of attackers, including ransomware and nation-state actors 
  • Major services and applications globally are impacted by the vulnerability due to the prevalence of Log4j2s use in many web apps 
  • Due to the ease and rate of exploitation attempts, Bytes recommends upgrading impacted services to the latest version of Log4j2

Mitigation Guidance

  • Upgrade log4j 2 to the latest version, specifically log4j-2.15.0-rc2 or newer
  • According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Bytes Response

In response to the Log4j exploit (CVE-2021-442281) Bytes have conducted a thorough investigation of systems to determine the impact on internal and customer applications. Find below the result of the investigation. 

UPDATE: New vulnerabilties detected - CVE- 021-44224 (CVSS 3 - 8.2 high) and CVE-2021-44790 (CVSS 3 - 8.1 High - do not impact Bytes (the below). 

Quantum: Not impacted
Commerce (Bytes portal): Not impacted
Snow managed service: Not impacted
Bytes internal services: Not impacted

For support and guidance, please reach out to your Bytes Account Manager or email [email protected]

 

Statements & Additional Resources From Our Vendors:


Want to keep informed? Sign up to our Newsletter

Want a Quote? Just tell us what you need


Need Advice? We can help with your next project


Register Your Interest in DaaS


Email Call