Remote Code Execution vulnerability in Apache Java logging library (Log4j)

  • CERT Admin
  • Wed Dec 29 2021
  • Alerts

Overview 

A critical vulnerability was found in the Java logging library log4j which allows an attacker to perform Remote Code Execution (RCE). 

Description 

RCE vulnerability resides in the Java logging library log4j can be exploited by logging a certain string or by sending a specially crafted payload. It is also identified that by successfully exploiting this vulnerability, a remote attacker could gain full control of the targeted servers.  

Impact 

● Execution of payloads and malicious commands 

● Can be exploited without authentication 

● Remote access the computer through the Minecraft server 

● Sensitive information exposure 

  

Solution/Workarounds 

Apply appropriate patches or mitigation steps as mentioned by various vendors. Refer below, 

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ 

https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ 

https://www.fortiguard.com/psirt/FG-IR-21-245 

https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ 

https://kb.vmware.com/s/article/87092 

https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ 

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 

https://www.oracle.com/java/technologies/javase/products-doc-8u121-revision-builds-relnotes.html 

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd 

https://logging.apache.org/log4j/2.x/security.html 

Reference 

● https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/ 

● https://www.lunasec.io/docs/blog/log4j-zero-day/ 

● https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html 

● https://www.cert-in.org.in 

Disclaimer 

The information provided herein is on an "as is" basis, without warranty of any kind.  

Last updated: Wed Dec 29 2021