- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Asset Management APIs
- Billing APIs
- Protection Settings APIs
- AddAntiFakeUrl
- AddAntiInfoLeakRules
- DeleteAntiFakeUrl
- DeleteSession
- DescribeAntiFakeRules
- DescribeAntiInfoLeakageRules
- DescribeCCRule
- DescribeCCRuleList
- DescribeCustomRuleList
- DescribeCustomWhiteRule
- DescribeDomainVerifyResult
- DescribeModuleStatus
- DescribeObjects
- DescribeRuleLimit
- DescribeSession
- DescribeSpartaProtectionInfo
- DescribeUserLevel
- ModifyAntiFakeUrl
- ModifyAntiInfoLeakRuleStatus
- ModifyAntiInfoLeakRules
- ModifyCustomRule
- ModifyCustomRuleStatus
- ModifyCustomWhiteRule
- ModifyCustomWhiteRuleStatus
- ModifyModuleStatus
- ModifyObject
- ModifyProtectionStatus
- ModifySpartaProtectionMode
- ModifyUserLevel
- ModifyUserSignatureRule
- SwitchElasticMode
- Other APIs
- AddCustomWhiteRule
- DeleteAntiInfoLeakRule
- DeleteCCRule
- DeleteCustomRule
- DeleteCustomWhiteRule
- DescribeDomainCountInfo
- DescribeFindDomainList
- DescribeHost
- DescribeHostLimit
- DescribeHosts
- DescribeInstances
- DescribeUserDomainInfo
- DescribeWebshellStatus
- FreshAntiFakeUrl
- ModifyAntiFakeUrlStatus
- ModifyBotStatus
- ModifyDomainsCLSStatus
- ModifyHostMode
- ModifyHostStatus
- ModifyInstanceElasticMode
- ModifyInstanceName
- ModifyInstanceQpsLimit
- ModifyInstanceRenewFlag
- ModifyWebshellStatus
- UpsertCCRule
- UpsertSession
- GetInstanceQpsLimit
- AddCustomRule
- IP Management APIs
- Integration APIs
- DescribeCertificateVerifyResult
- DeleteHost
- DescribeTlsVersion
- ModifyHost
- ModifyHostFlowMode
- ModifySpartaProtection
- AddSpartaProtection
- DescribePorts
- DescribeUserClbWafRegions
- RefreshAccessCheckResult
- DeleteSpartaProtection
- DescribeCiphersDetail
- DescribeDomainDetailsClb
- DescribeDomainDetailsSaas
- ModifyDomainIpv6Status
- CreateHost
- DescribeVipInfo
- Log Service APIs
- Bot Behavior Management APIs
- Security Overview APIs
- Data Types
- Error Codes
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Asset Management APIs
- Billing APIs
- Protection Settings APIs
- AddAntiFakeUrl
- AddAntiInfoLeakRules
- DeleteAntiFakeUrl
- DeleteSession
- DescribeAntiFakeRules
- DescribeAntiInfoLeakageRules
- DescribeCCRule
- DescribeCCRuleList
- DescribeCustomRuleList
- DescribeCustomWhiteRule
- DescribeDomainVerifyResult
- DescribeModuleStatus
- DescribeObjects
- DescribeRuleLimit
- DescribeSession
- DescribeSpartaProtectionInfo
- DescribeUserLevel
- ModifyAntiFakeUrl
- ModifyAntiInfoLeakRuleStatus
- ModifyAntiInfoLeakRules
- ModifyCustomRule
- ModifyCustomRuleStatus
- ModifyCustomWhiteRule
- ModifyCustomWhiteRuleStatus
- ModifyModuleStatus
- ModifyObject
- ModifyProtectionStatus
- ModifySpartaProtectionMode
- ModifyUserLevel
- ModifyUserSignatureRule
- SwitchElasticMode
- Other APIs
- AddCustomWhiteRule
- DeleteAntiInfoLeakRule
- DeleteCCRule
- DeleteCustomRule
- DeleteCustomWhiteRule
- DescribeDomainCountInfo
- DescribeFindDomainList
- DescribeHost
- DescribeHostLimit
- DescribeHosts
- DescribeInstances
- DescribeUserDomainInfo
- DescribeWebshellStatus
- FreshAntiFakeUrl
- ModifyAntiFakeUrlStatus
- ModifyBotStatus
- ModifyDomainsCLSStatus
- ModifyHostMode
- ModifyHostStatus
- ModifyInstanceElasticMode
- ModifyInstanceName
- ModifyInstanceQpsLimit
- ModifyInstanceRenewFlag
- ModifyWebshellStatus
- UpsertCCRule
- UpsertSession
- GetInstanceQpsLimit
- AddCustomRule
- IP Management APIs
- Integration APIs
- DescribeCertificateVerifyResult
- DeleteHost
- DescribeTlsVersion
- ModifyHost
- ModifyHostFlowMode
- ModifySpartaProtection
- AddSpartaProtection
- DescribePorts
- DescribeUserClbWafRegions
- RefreshAccessCheckResult
- DeleteSpartaProtection
- DescribeCiphersDetail
- DescribeDomainDetailsClb
- DescribeDomainDetailsSaas
- ModifyDomainIpv6Status
- CreateHost
- DescribeVipInfo
- Log Service APIs
- Bot Behavior Management APIs
- Security Overview APIs
- Data Types
- Error Codes
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
Last updated: 2022-06-23 11:14:26
On December 9, 2021, Tencent Cloud Security Operations Center noticed that a severe code execution vulnerability (CVE-2021-44228) in Apache Log4j 2 was disclosed. Currently, Log4j 2 has released an official security announcement and safe version. Once the vulnerability is exploited, problems such as server intrusion can occur.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability Details
Apache Log4j 2 is a widely used open-source logging component. It substitutes for print statements such as System.out in projects and is the most popular logging tool in Java.
If Log4j 2 is used to process malicious data in certain scenarios, malicious code may be injected and executed.
Log4j 2 is used by many Java frameworks and applications as a third-party basic logging library. Your business may be attacked through this vulnerability if it uses Log4j 2 to output logs and the log content can be partially controlled by attackers. Therefore, this vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.
Risk Level
High Risk
Vulnerability Risk
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
Affected Versions
Apache Log4j 2.0–2.14.1
Safe Versions
Apache Log4j 2.16.0
Suggestions for Fix
Upgrading to latest official version (recommended)
The current latest official version is log4j-core-2.16.0. You can upgrade the component or update the code to this version.
Disabling lookup feature in Log4j
Disabling in configuration file (recommended)
Add the following content to the log4j2.component.properties configuration file (if it doesn't exist, manually create one) in classpath of Log4j 2.9.1 or later:
log4j2.formatMsgNoLookups=True
log4j.formatMsgNoLookups=True
Disabling through JVM parameter configuration (not recommended as the configuration can be easily lost)
Add -Dlog4j2.formatMsgNoLookups=true and -Dlog4j.formatMsgNoLookups=true to the JVM startup parameters.
Note:For versions 2.0–2.10, you should upgrade them to 2.10 or later first and then add JVM parameters.
Upgrading JDK to later versions (recommended)
As JDK on a later version has some security limits, we recommend you upgrade JDK to 6u211, 7u201, 8u191, or 11.0.1 or later. This can block vulnerability exploit methods such as JNDI to a certain extent.
Other temporary mitigation measures
You can use a firewall or security group to prohibit relevant applications and businesses from actively connecting to the public network.
Tencent Security Solution
Tencent Cloud WAF can detect and block attacks exploiting the Log4j 2 RCE vulnerability.
References
For more information, see Apache Log4j Security Vulnerabilities.
Yes
No
Was this page helpful?