Critical Log4j Vulnerability and Recommendations to Resolve it

mobile-app-pen-testing
Webinar – Mobile app pen testing: Understanding android apps and how to secure them
January 21, 2022
External-Attack-Surface-Management
Why Is Gartner Talking About External Attack Surface Management (EASM)
February 9, 2022

January 24, 2022

What is Log4J?

Log4j is an open-source logging utility offered by Apache Software Foundation. This logging library is widely used by businesses in its application to record and store activity records. It records events, errors, and routine system operations and communicates the diagnosed messages about them to the system administrators and users. It is one of the most widely used

What is Log4j Vulnerability?

Log4j Vulnerability, also called Log4Shell is a situation where an attacker remotely executes ode in your application and steals all the data. This Vulnerability affects the servers, attackers can take over your systems, exploit the data, make changes or do whatever they want. This is the reason why so many businesses are worried about vulnerability.

Some of the key details of Log4j include:

  •  Apache released a new version of Log4j 2.15.0 for Java 8 to address a remote code execution (RCE) vulnerability, CVE-2021-44228, on December 10, 2021.
  • Log4j 2.12.2 released for Java 7 and Log4j 2.16.0 for Java 8 to address an RCE vulnerability, CVE-2021-45046 on December 13, 2021.
  • On December 15, 2021, Log4j 1.x vulnerable to an attack, although at lower risk, when logging is configured with JMSAppender are impacted – CVE-2021-4104. It is recommended to upgrade to Log4j 2.x.
  • On December 17, 2021 Log4j 2.17.0 released for Java 8 users to address a denial-of-service (DOS) vulnerability – CVE-2021-45105.
  • On December 28, 2021, Apache released version 2.17.1 to address CVE-2021-44832.

To read more about Log4j vulnerability, refer to the Apache Log4j Security Vulnerabilities.

How to mitigate the Log4j Vulnerability?

You can try some of the following to mitigate this vulnerability:

  • Upgrade to the latest version of Log4j
  • Update your servers and devices regularly
  • Patch the class directly
  • Set the below flags to off:

Com.sum.jndi.ldap.object.trustURLCodebase

Com.sun.jndi.rmi.object.trustURLCodebase

  • Gradle: Use dependency constraints

Also, refer to our webinar on understanding and mitigating this vulnerability.

References:

https://logging.apache.org/log4j/2.x/security.html

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

https://www.natlawreview.com/article/case-study-appropriately-responding-to-log4j-cybersecurity-vulnerability

Enable Notifications OK No thanks