A few days ago a 0-day CVE was discovered in the Log4j2 library. The CVE was just patched on Friday, Dec 10th.
Apache Log4j2 is a Java-based logging utility. It was originally written by Ceki Gülcü and is part of the Apache Logging Services project of the Apache. Two days ago a severe vulnerability was discovered in the wild. The bug is already weaponized in the wild,
Basically, any unauthenticated hacker can get an RCE (remote code execution) on the server. So for example, a simple get request:
curl myserver.com-H ‘User-Agent: ${jndi:ldap://127.0.0.1/a}'
Assuming that the server does log the request header “”User-Agent”, you will see that in the log file actual an attempt to perform a lookup has happened:
2021-12-11 13:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
There are a lot of solid technical write-ups written about this here and here.
Apache rated this vulnerability as Critical with a CVSS score of 10/10, which indicates imminent impact.
The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia's CERT. New Zealand's government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.
Considering how easy it is and how spread the Log4j library is. This is probably as bad as the Equifax and heart bleed vulnerabilities.
JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.
However they might still be vulnerable to other attack vectors that does not use the LDAP variant.
The permanent solution is to upgrade Log4J to the 2.15.0 version. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].
301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4