[UPDATE] Zero-Day Vulnerability in Apache Java Logging Library Log4j

Published on 10 Dec 2021

Updated on 17 Dec 2021

Update:

Please refer to our latest advisory instead: https://www.csa.gov.sg/singcert/Advisories/ad-2021-010

 

Security researchers have discovered a zero-day vulnerability in the Apache Java logging library Log4j (CVE-2021-44228). A proof-of-concept exploit has also been published. Successful exploitation could allow an attacker to gain full control of the affected servers.

System administrators using Apache Log4j versions between 2.0 and 2.14.1 are advised to upgrade to the latest version 2.15.0 immediately. The patch is available for download here: https://logging.apache.org/log4j/2.x/download.html

As the latest patch version of Log4j 2.15.0 requires Java 8, system administrators using Java 7 will be required to upgrade to Java 8. Alternatively, system administrators may reconfigure affected servers with "log4j2.formatMsgNoLookups" set to "true" when starting the Java virtual machine, and closely monitor the servers for any suspicious activity.

More information is available here:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
https://auscert.org.au/bulletins/ASB-2021.0244
https://www.randori.com/blog/cve-2021-44228/