A critical vulnerability has been published for the Java logger Apache Log4j, which allows an attacker to execute custom code if he has control over logs or log parameters.
According to an initial analysis by LunaSec, users of Apache Struts should also update their systems immediately or proceed according to the mitigation mentioned. In addition, the requirements needed to carry out the exploit have been defined in more detail. In addition to a server with a corresponding log4j version, only an endpoint that can be connected to this server is required.
You can find a detailed procedure in the LunaSec advisory.
CVE:
2021-44228
Affected products:
Apache Log4j Version 2.0-beta9 to 2.14.1
- VMware
- Cisco
- Huawei
- Citrix
- gitHub
- McAfee
- Microsoft
- Oracle
- SAP
- Palo Alto Panorama
A list of over a hundred other affected products can be found here.
Criticality of the vulnerability:
Critical
Mitigation or measures to avoid or possible recommendations for action:
It is recommended to update to Log4J 2.16.0. If an update is not possible, the system setting “log4j2.formatMsgNoLookups” of Log4J should be set to “true”.
Is your system affected?
We will be happy to provide you with a free script that you can use to check your domains for this vulnerability. Download script!
In addition, you as a customer can now use our vulnerability scanner cyberscan.io® to check whether your system is affected by the Log4shell vulnerability. Please read the following technical description to find out how cyberscan.io® works in detail:
In case of urgent queries, we can be reached by telephone on the following number: +49 461 995 838 0
References and links:
- Apache Log4j Security: https://logging.apache.org/log4j/2.x/security.html
- Log4J Download: https://logging.apache.org/log4j/2.x/download.html
- LunaSec Security Advisory: https://www.lunasec.io/docs/blog/log4j-zero-day/
