Log4j RCE 0-day actively exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:00pm, 20 December 2021

TLP Rating: Clear

Log4j RCE 0-day actively exploited

Updated: 12:00pm, 20 December 2021 to provide the latest information on version upgrades, and a new denial of service vulnerability in Log4j

Updated: 4.10pm, 15 December 2021 to provide the latest information on version upgrades, mitigations and a new denial of service vulnerability in Log4j.

Updated: 3.30pm, 13 December 2021 to provide link to list of related software's vulnerablity status.

Updated: 10.30am, 11 December 2021 to provide the latest information on version upgrades to protect from this vulnerability

The widely-used java logging library, Log4j, has an unauthenticated remote code execution (RCE) and denial of service vulnerability if a user-controlled string is logged. This could allow the attacker full control of the affected server or allow an attacker to conduct a denial of service attack.

Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.

What's happening

Systems affected

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.15.0 (inclusive) are affected by the remote code execution vulnerability.

Those running Apache Log4j between versions 2.0 and 2.16 (inclusive) are affected by a denial of service vulnerability.

For more information on the specific configurations see the Apache advisory in the More Information section below.

This includes many applications and services written in Java.

What to look for

How to tell if you're at risk

Apache Log4j versions between version 2.0 and 2.15.0 (inclusive) are vulnerable to the remote code execution vulnerability.

Apache Log4j versions between version 2.0 and 2.16.0 (inclusive) are vulnerable to a denial of service vulnerability.

For more information on the specific configurations see the Apache advisory in the More Information section below.

How to tell if you're affected

List of software and its vulnerablity status helpfully provided by NCSC-NL

Log4j overview of related software External Link

The log files for any services using affected Log4j versions will contain user-controlled strings. 

Rules to help with detection External Link  

What to do

Prevention

Upgrade your Log4j versions to the latest version.  The current latest Log4j version is 2.17.1 which fixes both vulnerabilities.

Note: this upgrade requires Java 8 or greater. If you cannot upgrade to Java 8 and are running Java 7, Apache have released Log4j 2.12.2

Mitigation

Previously it was reported that setting log4j2.formatMsgNoLookups to true would mitigate the vulnerability but this is no longer this case under all circumstances. This mitigation may still help but is no longer sufficient.

Note: this mitigation does not prevent denial of service and will only work for versions 2.10 and above. This mitigation may impact the behaviour of your system’s logging if it relies on Lookups for message formatting.

More information