tencent cloud

Feedback

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)

Last updated: 2022-06-23 11:14:26

    On December 17, 2021, Tencent Cloud Security Operations Center noticed that Apache Log4j's fix for CVE-2021-44228 was incomplete in non-default configurations, so the vulnerability could be exploited by attackers to launch remote code execution attacks in some special configuration scenarios.

    To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.

    Vulnerability Details

    Apache Log4j 2 is an open-source logging component as the upgrade of Apache Log4j. It controls the output format of each log and allows you to define the level of each log to control the log generation process in a more refined manner.

    After disclosing the severe RCE vulnerability CVE-2021-44228 on December 9, 2021, Apache Log4j recently disclosed another RCE vulnerability CVE-2021-45046, whose severity increased from CVSS 3.7 to CVSS 9.0. This vulnerability is caused by the incomplete fix for CVE-2021-44228 in non-default configurations. In certain scenarios such as thread context search mode, attackers can construct specific requests to execute code remotely.

    This vulnerability also affects a high number of universal applications and components around the globe, such as:
    Apache Struts 2
    Apache Solr
    Apache Druid
    Apache Flink
    Apache Dubbo
    Apache Kafka
    Spring-boot-starter-log4j2
    Elasticsearch
    Logstash

    We recommend you check and upgrade all systems or applications that use the Log4j component in time.

    Risk Level

    High (CVSS score: 9.0)

    Vulnerability Risk

    This vulnerability may be exploited by attackers to remotely execute arbitrary code.

    Affected Versions

    2.0-beta9 ≤ Apache Log4j 2.x < 2.16.0 (excluding 2.12.2)

    Safe Versions

    • Apache Log4j 2.16.0 (Java 8)
    • Apache Log4j 2.12.2 (Java 7)

    Suggestions for Fix

    We recommend you conduct internal inspections to check whether your business applications use the Apache log4j-core JAR package. If the dependency is introduced and the Log4j version is among the affected versions, the vulnerability may affect your business, and you can take the following measures:

    Note:

    Back up your data before upgrading to avoid accidental losses.

    Upgrading to latest official version (recommended)

    Currently, officially fixed versions have been released. You can upgrade the component or update the code to this version.

    Using other protection solutions

    1. If you cannot upgrade the version currently, we recommend you run the following command to remove the JndiLookup class file from the log4j-core package and restart the service:

      zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
      
    2. Use a security group or firewall to restrict the affected applications from accessing the internet.

    References

    For more information, see Apache Log4j Security Vulnerabilities.

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support