Please refer to our latest advisory instead: https://www.csa.gov.sg/singcert/Advisories/ad-2021-010
Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.
System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html
As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.
More information is available here: