On December 10th, a group of security researchers published a security notice regarding a vulnerability in Log4j. Log4j is a library commonly used in Java environment to manage logging.
Log4j versions 2.0 to 2.14.1 are affected by a vulnerability that may lead to remote code execution (RCE). Older versions of Log4j (1.X) might also be vulnerable if the configuration explicitly loads JDNI components, which is not the standard behavior. Please also note that a lot of softwares available on the market are using Log4j.
This vulnerability is actively exploited. Several softwares to exploit this vulnerability are available publicly and easy to use.
How to mitigate
- Patch and deploy Log4j 2.15.0 version as soon as possible when you manage the software stack
- For all applications you use, check editor websites for security announcements and mitigation options
- Restrict software exposure to limit the risk of attack
- Filter egress network flows to limit exploit capability to access other resources
References:
- Mitre security announcement: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- ANSSI security announcement: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/
- https://logging.apache.org/log4j/2.x/security.html
- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
