On December 9, 2021, Tencent Cloud Security Operations Center noticed that a severe code execution vulnerability (CVE-2021-44228) in Apache Log4j 2 was disclosed. Currently, Log4j 2 has released an official security announcement and safe version. Once the vulnerability is exploited, problems such as server intrusion can occur.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Apache Log4j 2 is a widely used open-source logging component. It substitutes for print statements such as System.out
in projects and is the most popular logging tool in Java.
If Log4j 2 is used to process malicious data in certain scenarios, malicious code may be injected and executed.
Log4j 2 is used by many Java frameworks and applications as a third-party basic logging library. Your business may be attacked through this vulnerability if it uses Log4j 2 to output logs and the log content can be partially controlled by attackers. Therefore, this vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.
High Risk
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
Apache Log4j 2.0–2.14.1
Apache Log4j 2.16.0
The current latest official version is log4j-core-2.16.0. You can upgrade the component or update the code to this version.
Add the following content to the log4j2.component.properties
configuration file (if it doesn't exist, manually create one) in classpath
of Log4j 2.9.1 or later:
log4j2.formatMsgNoLookups=True
log4j.formatMsgNoLookups=True
Add -Dlog4j2.formatMsgNoLookups=true
and -Dlog4j.formatMsgNoLookups=true
to the JVM startup parameters.
Note:For versions 2.0–2.10, you should upgrade them to 2.10 or later first and then add JVM parameters.
As JDK on a later version has some security limits, we recommend you upgrade JDK to 6u211, 7u201, 8u191, or 11.0.1 or later. This can block vulnerability exploit methods such as JNDI to a certain extent.
You can use a firewall or security group to prohibit relevant applications and businesses from actively connecting to the public network.
Tencent Cloud WAF can detect and block attacks exploiting the Log4j 2 RCE vulnerability.
For more information, see Apache Log4j Security Vulnerabilities.
Was this page helpful?