Summary
- Caused by Apache Log4j's JNDI ("Java Naming and Directory Interface") features.
- How is it severe? The CVSS score is 10, the maximum, which means the highest risk.
Description
CVE-2021-44228 (named "log4shell" or "log4jam"): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.
It's because Log4j is related to JAVA, one of general-purpose programming languages and used widely, and also used by popular frameworks such as Spring, Struts, LogStash and Solr etc. internally.
To be a pity, it's straightforward and easier for attackers to exploit the CVE-2021-44228 (log4shell) vulnerability. As to services open to some network, especially Internet, the situation is really dangerous.
It has been being considered as a historical one, with being referred to Heartbleed and Shell shock (or Bashdoor), discovered in 2014.
Updating Log4j version to 2.15.0 is strongly recommended.
How to fix it
- Strongly recommended to updated log4j version 2.15.0 (or later).
Second best and temporary ways to mitigate it
Well, When it's difficult to update #Log4j, they are possible:
- Use WAF.
- if ver >= 2.10.0: Disable JNDI lookup with system property (log4j2.formatMsgNoLookups) or environment variable (LOG4J_FORMAT_MSG_NO_LOOKUPS).
- else: Remove JndiLookup from classpath.
This post is based on the tweets by my company.