Share information related to AIONCLOUD !

Back to BLOG Main

An update on the Apache Log4j vulnerability



The Apache Software Foundation has released a security update that addresses vulnerabilities in Log4j (https://logging.apache.org/log4j) software. 

Apache Log4j, where the vulnerability was found, is a Java-based open-source utility used to leave a log while writing a program. 

Since attackers can take advantage of the vulnerability and cause damage such as malicious code infection, we strongly encourage users who manage environments containing Log4j to update to the latest. 

■ Affected versions

 o Apache Log4j 2
   - 2.0-beta9 ~ 2.14.1 All Versions
 o Products that use Apache Log4j 2
    ※ If you are using the product using Apache Log4j2 (checking reference website), apply a patch or countermeasure according to the manufacturer's recommendation. 

■  Log4j2 vulnerability update 

Through the update on December 10, 2021, the vulnerability patch was provided as follows with Log4j 2.15.0 version. 

■ Log4j2 vulnerability compensation

If it is difficult to patch the vulnerability, please take temporary measures in the following ways. 

-  Log4j 2.10 to 2.14.1 versions
Change the value of system property log4j2.formatMsgNoLookups or environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. 

-  Log4j 2.0-beta9 to 2.10.0 version
Remove the JndiLookup class as followed.
# zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

■ MONTIORAPP Product's vulnerability response status

Apache Log4j vulnerability has no effect on MONITORAPP products.

The vulnerability attack detection pattern is applied to WAF to detect/response. (December 12, 2021 distributed version) 

Pattern Name : Apache Log4j Remote Code Execution - JNDI features 

• New Pattern Information – AIWAF, Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) Related Patterns

- v4.0.2 : Officially out of service as of July 1st 2020 

- v4.1.0 ~ v4.1.6 : W.

- v5.0.0 ~ : W.

Reference links

Scroll Up