On December 9, 2021 a Log4j 2 Vulnerabitlity was disclosed that allows an attacker to execute code on the affected server / device. It's a very high vulenarability because Java with Log4j is used in a lot of places and is needed to patch ASAP.
Solution / Fix
The solution can be quite simple for your own application, just upgrade Log4j to version 2.17.0.
2.17.0 Log4j is released now and the changes included are:
- Fix string substitution recursion. Fixes LOG4J2-3230.
- Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. Fixes
- Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'. Fixes LOG4J2-3242.
- Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. Fixes LOG4J2-3241.
- PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. Fixes LOG4J2-3247.
- Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. Fixes LOG4J2-3249.
- Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. Fixes LOG4J2-3237.
2.16.0 Log4j is released now and the changes included are:
- Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. Fixes LOG4J2-3208.
- Completely remove support for Message Lookups. Fixes LOG4J2-3211.
Mitigations
https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
If you cannot upgrade to 2.15.0 then you can use the following mitigations:
Mitigation 1 :
for Log4j 2.10 or greater
Dlog4j.formatMsgNoLookups=trueMitigation 2 :
for Log4j 2.7 or greater
Use %m{nolookups} in the PatternLayoutMitigation 3 :
for any version of Log4j 2
Remove JdniLookup and JdniManager classes from log4j jar
3rd Pary applications
It's highly possible that you have 3rd party applications on your servers / devices that also use Java, you need to update them as well as soon as they release patch. However for some old devices the companies dont update anymore and those devices will remain possible to hack.
List of Some Company / Products affected
- MineCraft
- Amazon
- Tesla
- Apple iCloud
- and more
CloudFlare
CloudFlare is implementing a fix to this issue, because they identified a lot of scanning in their network. First it was only for paying costumers of CloudFlare but they are also considering for all the users.
Top comments (0)