Web Application Firewall
- Release Notes and Announcements
- Product Announcement
- Security Advisory
- Product Introduction
- Purchase Guide
- Billing Overview
- Getting Started
- Operation Guide
- SaaS WAF Connection
- CLB WAF Connection
- Connect Via Instance Object
- Bot and Application Security
- Bot Settings
- Bot Management
- Bot Traffic Visibility
- Basic Security Configurations
- API Security Management
- Threat Operation
- Blocklist/Allowlist Protection Settings
- Statistics and Logs
- Practical Tutorial
- Bot Management
- API Security
- Integration
- API Documentation
- Making API Requests
- Asset Management APIs
- Protection Settings APIs
- Other APIs
- IP Management APIs
- Integration APIs
- Security Overview APIs
- FAQS
DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
Last updated: 2022-06-23 11:14:26
Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
Last updated: 2022-06-23 11:14:26
On December 29, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j 2 announced that there was a remote code execution vulnerability (CVE-2021-44832) in some special scenarios. The vulnerability is hard to exploit, as attackers can remotely execute arbitrary code only if they have permissions to modify the configuration file.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability Details
Apache Log4j 2 is an open-source Java-based logging framework. As an upgraded version of Log4j 1.x, it rewrites the Log4j framework and introduces various new features, making it widely suitable for logging in the development of many business systems.
As described by Apache, attackers with permissions to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code
As this vulnerability requires that attackers have the permission to modify configuration files (which usually can be implemented only through other vulnerabilities) and doesn't exist in the default configuration, it is hard to exploit.
Risk Level
Medium.
Vulnerability Risk
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
Affected Versions
2.0-beta7 ≤ Apache Log4j 2.x < 2.17.0 (excluding 2.3.2 and 2.12.4)
Safe Versions
Apache Log4j 2.x ≥ 2.3.2 (Java 6)
Apache Log4j 2.x ≥ 2.12.4 (Java 7)
Apache Log4j 2.x ≥ 2.17.1 (Java 8 or later)
Suggestions for Fix
Currently, an official safe version of Apache Log4j 2 has been released. You can update to it as instructed in Download Apache Log4j 2.
Note:
Back up your data before upgrading to avoid accidental losses.
Tencent Security Solution
Tencent Cloud NTA rule libraries released after December 29, 2021 support detecting the Log4j 2 RCE vulnerability CVE-2021-44832.
References
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No