A zero-day exploit affecting the popular utility program apachelog4j (CVE-2021-44228) was released on December 9, 2021 and may allow remote implementation code (RCE).
This vulnerability is already in use and anyone using Log4j should update to version 2.15.0 as soon as possible. The final version is already on the page download Apache.
If the latest version is not available, Cloudflare has a WAF tweak that can also protect you. You must use a firewall and set the system property "log4j2.formatMsgNoLookups" to "true". or by removing the JndiLookup class from the class path.
Those who use Cloudflare WAF can also take advantage of three new rules that have been developed to mitigate any exploitation efforts:
RuleID | Description | Default Action |
---|---|---|
100514 (legacy WAF) 6b1cc72dff9746469d4695a474430f12 (new WAF) |
Log4j Headers | BLOCK |
100515 (legacy WAF) 0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF) |
Log4j Body | BLOCK |
100516 (legacy WAF) 5f6744fa026a4638bda5b3d7d5e015dd (new WAF) |
Log4j URL | BLOCK |
The firewall rules are three and inspect HTTP headers, body and URL respectively.
More details about the vulnerability can be found in the official Log4j security page.
Who is affected
Log4j is a powerful Java-based log library developed by the Apache Software Foundation.
Σε όλες οι εκδόσεις Log4j >= 2.0-beta9 και μηνύματα καταγραφής και οι παράμετροι μπορούν να αξιοποιηθούν από κάποιον εισβολέα για την εκτέλεση απομακρυσμένης εκτέλεσης κώδικα. Συγκεκριμένα, ένας εισβολέας που μπορεί να ελέγξει μηνύματα καταγραφής (logs) ή παραμέτρους των μηνυμάτων καταγραφής μπορεί να τρέξει αυθαίρετο κώδικα που έχει φορτωθεί από διακομιστές LDAP όταν είναι ενεργοποιημένη η αντικατάσταση της searchof messages.