Overview
Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.
CISA has published Apache Log4j Vulnerability Guidance and provides a Software List.
Description
The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can execute arbitrary code provided by remote services such as LDAP, RMI, and DNS.
More information is available from the Apache Log4j Security Vulnerabilities page, including these highlights:
Log4j 1.x
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
log4j-core
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
CVE-2021-44228 tracks the initial JNDI injection and RCE vulnerability in Log4j 2. CVE-2021-4104 tracks a very similar vulnerability that affects Log4j 1 if JMSAppender and malicious connections have been configured. CVE-2021 ..
Support the originator by clicking the read the rest link below.
