tencent cloud

Feedback

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)

Last updated: 2022-06-23 11:14:26

    On December 29, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j 2 announced that there was a remote code execution vulnerability (CVE-2021-44832) in some special scenarios. The vulnerability is hard to exploit, as attackers can remotely execute arbitrary code only if they have permissions to modify the configuration file.

    To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.

    Vulnerability Details

    Apache Log4j 2 is an open-source Java-based logging framework. As an upgraded version of Log4j 1.x, it rewrites the Log4j framework and introduces various new features, making it widely suitable for logging in the development of many business systems.

    As described by Apache, attackers with permissions to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code

    As this vulnerability requires that attackers have the permission to modify configuration files (which usually can be implemented only through other vulnerabilities) and doesn't exist in the default configuration, it is hard to exploit.

    Risk Level

    Medium.

    Vulnerability Risk

    This vulnerability may be exploited by attackers to remotely execute arbitrary code.

    Affected Versions

    2.0-beta7 ≤ Apache Log4j 2.x < 2.17.0 (excluding 2.3.2 and 2.12.4)

    Safe Versions

    • Apache Log4j 2.x ≥ 2.3.2 (Java 6)
    • Apache Log4j 2.x ≥ 2.12.4 (Java 7)
    • Apache Log4j 2.x ≥ 2.17.1 (Java 8 or later)

    Suggestions for Fix

    Currently, an official safe version of Apache Log4j 2 has been released. You can update to it as instructed in Download Apache Log4j 2.

    Note:

    Back up your data before upgrading to avoid accidental losses.

    Tencent Security Solution

    Tencent Cloud NTA rule libraries released after December 29, 2021 support detecting the Log4j 2 RCE vulnerability CVE-2021-44832.

    References

    For more information, see Apache Log4j Security Vulnerabilities.

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support