Take Action to Protect Against Apache Log4j Vulnerability
What is the Vulnerability?
On December 9th, a zero-day vulnerability was reported in the Apache logging package Log4j2 versions 2.14.1 and below (CVE-2021-44228). CVE-2021-44228 is also known as LogJam or Log4Shell. Log4j is a java-based logging library within Apache. It is used by a vast number of companies worldwide, enabling logging in a wide variety of popular applications. The vulnerability impacts default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are utilized by numerous organizations from Apple, Amazon, Cloudflare, Twitter, Steam, and others.
The vulnerability targets remote locations accessed via the Lightweight Directory Access Protocol (LDAP). Although LDAP was the initial target, other file locations are possible. This capability is an officially supported structure within Java to retrieve remote data that is anticipated to be on a local network but was found to also support Internet-based remote hosts. By exploiting the vulnerability, an attacker can gain full control of a system and exfiltrate data from the affected servers. Exploitation of the Log4Shell vulnerability grants the attacker full control on the affected server. It is critical to take immediate action.
Next Steps:
Although your security platform from providers like Checkpoint, Fortinet, Palo Alto and others do offer zero day threat protection, Vandis also suggests applying Apache’s patch Log4j 2.15.0 to reduce the risk of vulnerability. Alternative remediation steps include:
- For Log4j 2.10 or higher: add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages.
- For Log4j 2.7 or higher: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
- Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.
Determine whether your organization's products with Log4j are vulnerable by referring to CISA's GitHub repository and CERT/CC's CVE-2021-44228_scanner. Vandis Engineers and our network of Incident Responders are here to assist you. Please contact us today at or call us at (800) 397-3146.