Overview
A critical remote code execution vulnerability is affecting multiple versions of the Apache Log4j library.
Scanning for this vulnerability has been detected in the UK and there are reports of active exploitation detected elsewhere. Proof-of-concept code is available.
Update (14/12/2021): The UK NCSC has revised their alert to include detection and enhanced mitigation advice, https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
Detail
Log4j is a very widely used open-source Java logging library developed by the Apache Foundation. It is used in many applications and present in many services as a dependency.
Your enterprise applications, in-house applications developed within your organisation or cloud services may be affected and should be updated as soon as possible.
More information about this vulnerability (CVE-2021-44228) can be found here: https://logging.apache.org/log4j/2.x/security.html
Additional note: Version 1 of the Log4j is no longer supported. Developers should migrate to the latest version of Log4j 2.
Recommended Action
-
If you are using the Log4j library as a dependency within an application you have developed, ensure it is updated to version 2.15.0 or later.
-
If you are using an affected third-party application, ensure you keep the product updated to the latest version.
-
Mitigations exist for previous releases (2.10 and later) – By setting the system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath, although every effort should be made to use the latest version of Log4j.
- Update (14/12/2021): The UK NCSC has revised their alert to include detection and enhanced mitigation advice, https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.