Severe vulnerability in Apache Log4j 2 could affect thousands of organizations
A serious vulnerability has been found in the widely used Log4j 2 tool, which is used for logging Java applications. The NCSC expects exploit code and abuse in the short term, which could affect thousands of organizations.
The vulnerability in the Apache Log4j 2 open source tool allows an unauthenticated person to remotely inject and execute arbitrary code with the permissions of the affected Java application. The Java logging tool is used by many organizations for cloud services and enterprise apps, among other things. Default configurations of Apache projects Apache Struts2, Solr, Druid, and Flink are vulnerable due to the Log4j 2 issue.
The vulnerability has been designated CVE-2021-44228 and is also known as Log4Shell or LogJam. According to the NCSC, proof-of-concept code has now been published for this vulnerability and the organization expects that exploit code and abuse will be released in the short term. According to New Zealand’s Computer Emergency Response Team, it is already being actively exploited.
Versions from Log4j 2.0-beta9 through 2.14.1 are vulnerable. Apache has released updates to fix the vulnerability and version 2.15.0 has resolved the issue. Source code patches are available from the Log4j project’s Github page. As a workaround, administrators can set the directive ‘log4j2.formatMsgNoLookups’ to ‘true’ by adding ‐Dlog4j2.formatMsgNoLookups=True” to the JVM command that launches the tool.