On December 17, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j's fix for CVE-2021-44228 was incomplete in non-default configurations, so the vulnerability could be exploited by attackers to launch remote code execution attacks in some special configuration scenarios.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Apache Log4j 2 is an open-source logging component as the upgrade of Apache Log4j. It controls the output format of each log and allows you to define the level of each log to control the log generation process in a more refined manner.
After disclosing the severe RCE vulnerability CVE-2021-44228 on December 9, 2021, Apache Log4j recently disclosed another RCE vulnerability CVE-2021-45046, whose severity increased from CVSS 3.7 to CVSS 9.0. This vulnerability is caused by the incomplete fix for CVE-2021-44228 in non-default configurations. In certain scenarios such as thread context search mode, attackers can construct specific requests to execute code remotely.
This vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.
High (CVSS score: 9.0)
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
2.0-beta9 ≤ Apache Log4j 2.x < 2.16.0 (excluding 2.12.2)
We recommend you conduct internal inspections to check whether your business applications use the Apache log4j-core
JAR package. If the dependency is introduced and the Log4j version is among the affected versions, the vulnerability may affect your business, and you can take the following measures:
Note:Back up your data before upgrading to avoid accidental losses.
Currently, officially fixed versions have been released. You can upgrade the component or update the code to this version.
If you cannot upgrade the version currently, we recommend you run the following command to remove the JndiLookup
class file from the log4j-core
package and restart the service:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Use a security group or firewall to restrict the affected applications from accessing the internet.
For more information, see Apache Log4j Security Vulnerabilities.
Was this page helpful?