A critical vulnerability (CVE-2021-44228) has been reported to assist log4j2. The Apache Log4j vulnerability advances the most widely used log collection framework in Java. Security publications published by Apache can be used. This weakness; is used by using pieces of code over the logs it collects. The attacker sends a send request, and sending those requests to the logs takes over the server.
https://logging.apache.org/log4j/2.x/security.html
Affected Systems
It affects the most widely used log collection framework in Java. Products Identified to be Affected by the Log4j Vulnerability.
- Apache Struts
- Apache Struts2
- Apache Tomcat
- Apache Spark
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- IBM Qradar SIEM
- VMWare
- NetApp
Solution and CVE/CWE
Apache has released a patch called Log4j 2.16.0 for the vulnerability. CVE shared that Log4j 2.16.0 could fix the vulnerability by removing support for message search patterns and disabling JNDI functionality by default. It is stated that the problem can be mitigated in previous versions by removing the JndiLookup class construct. In order not to be affected by cyberattacks, it is highly recommended to update to the latest version of Apache log4j 2 (2.16.0) for all vulnerable systems. For example, any software you use within your organization, such as your organization’s website, dealer portal, Document Management System, Electronic Document Management System, Personnel Attendance Tracking System, may use this component. As a result, your organization will be affected by this vulnerability. Since this vulnerability has a risk level of 10 over 10, it is possible to completely take over the system in which the relevant software is located. You can download and update Log4j 2.16.0 patches from the link below.
https://logging.apache.org/log4j/2.x/download.html
CVE/CWE: CVE-2021-44228
Note: Those with a CVSS 3.1 score of 7.0-8.9 out of 10 are considered “high”, and those with 9.0-10.0 are considered “critical” vulnerabilities.
Reference:
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228