A few days ago a 0-day CVE was discovered in the Log4j2 library. The CVE was just patched on Friday, Dec 10th. 

What exactly is the Log4J2 Vulnerability?

Apache Log4j2 is a Java-based logging utility. It was originally written by Ceki Gülcü and is part of the Apache Logging Services project of the Apache. Two days ago a severe vulnerability was discovered in the wild. The bug is already weaponized in the wild,

Basically, any unauthenticated hacker can get an RCE (remote code execution) on the server. So for example, a simple get request:

curl myserver.com-H ‘User-Agent: ${jndi:ldap://127.0.0.1/a}'

Assuming that the server does log the request header “”User-Agent”, you will see that in the log file actual an attempt to perform a lookup has happened:

2021-12-11 13:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

There are a lot of solid technical write-ups written about this here and here.

How bad is Log4J2?

Apache rated this vulnerability as Critical with a CVSS score of 10/10, which indicates imminent impact. 

The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia's CERT. New Zealand's government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.

Considering how easy it is and how spread the Log4j library is. This is probably as bad as the Equifax and heart bleed vulnerabilities. 

Who is affected by Log4J2?

JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However they might still be vulnerable to other attack vectors that does not use the LDAP variant. 

What can you do about it?

The permanent solution is to upgrade Log4J to the 2.15.0 version. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

Temporary solutions:

• Setting formatMsgNoLookups to false but this is only available to log4j version 2.10.0 and up. Keep in mind this will only stop the JNDI lookup attack vector variant.
• If you are using a WAF service, most WAF vendors are updating their rules to mitigate this issue. Keep in mind this is only temporary solution and most probably we will see some bypasses in the next few weeks.

Updates Since Original Posting

• Update December 10, 2021: Apache released Log4j 2.15.0 for Java 8 to address a remote code execution (RCE) vulnerability – CVE-2021-44228.
• Update December 13, 2021: Apache released Log4j 2.12.2 for Java 7 and Log4j 2.16.0 for Java 8 to address an RCE vulnerability – CVE-2021-45046.
• Update December 15, 2021: Log4j 1.x is vulnerable to an attack, where logging is configured with JMSAppender are impacted – CVE-2021-4104. 
• Update December 17, 2021: Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability – CVE-2021-45105.
• Update December 28, 2021: Apache releases version 2.17.1 to address CVE-2021-44832.