The Apache Software Foundation has released a security update that addresses vulnerabilities in Log4j (https://logging.apache.org/log4j) software.
Apache Log4j, where the vulnerability was found, is a Java-based open-source utility used to leave a log while writing a program.
Since attackers can take advantage of the vulnerability and cause damage such as malicious code infection, we strongly encourage users who manage environments containing Log4j to update to the latest.
■ Affected versions
o Apache Log4j 2
- 2.0-beta9 ~ 2.14.1 All Versions
o Products that use Apache Log4j 2
※ If you are using the product using Apache Log4j2 (checking reference website), apply a patch or countermeasure according to the manufacturer's recommendation.
■ Log4j2 vulnerability update
Through the update on December 10, 2021, the vulnerability patch was provided as follows with Log4j 2.15.0 version.
■ Log4j2 vulnerability compensation
If it is difficult to patch the vulnerability, please take temporary measures in the following ways.
- Log4j 2.10 to 2.14.1 versions
Change the value of system property log4j2.formatMsgNoLookups or environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- Log4j 2.0-beta9 to 2.10.0 version
Remove the JndiLookup class as followed.
# zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
■ MONTIORAPP Product's vulnerability response status
Apache Log4j vulnerability has no effect on MONITORAPP products.
The vulnerability attack detection pattern is applied to WAF to detect/response. (December 12, 2021 distributed version)
Pattern Name : Apache Log4j Remote Code Execution - JNDI features
• New Pattern Information – AIWAF, Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) Related Patterns
- v4.0.2 : Officially out of service as of July 1st 2020
- v4.1.0 ~ v4.1.6 : W.3.0.124.0003_20211212_40ae24446210b0f68e3a6f138da54e44
- v5.0.0 ~ : W.5.0.024.0003_20211212_37dac25d8faf8d88f9af02177da1c0d7241b893b9848b16b15b2ca060ec7d388