tencent cloud

Feedback

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)

Last updated: 2022-06-23 11:14:26

    On December 9, 2021, Tencent Cloud Security Operations Center noticed that a severe code execution vulnerability (CVE-2021-44228) in Apache Log4j 2 was disclosed. Currently, Log4j 2 has released an official security announcement and safe version. Once the vulnerability is exploited, problems such as server intrusion can occur.

    To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.

    Vulnerability Details

    Apache Log4j 2 is a widely used open-source logging component. It substitutes for print statements such as System.out in projects and is the most popular logging tool in Java.

    If Log4j 2 is used to process malicious data in certain scenarios, malicious code may be injected and executed.

    Log4j 2 is used by many Java frameworks and applications as a third-party basic logging library. Your business may be attacked through this vulnerability if it uses Log4j 2 to output logs and the log content can be partially controlled by attackers. Therefore, this vulnerability also affects a high number of universal applications and components around the globe, such as:
    Apache Struts 2
    Apache Solr
    Apache Druid
    Apache Flink
    Apache Flume
    Apache Dubbo
    Apache Kafka
    Spring-boot-starter-log4j2
    Elasticsearch
    Logstash

    We recommend you check and upgrade all systems or applications that use the Log4j component in time.

    Risk Level

    High Risk

    Vulnerability Risk

    This vulnerability may be exploited by attackers to remotely execute arbitrary code.

    Affected Versions

    Apache Log4j 2.0–2.14.1

    Safe Versions

    Apache Log4j 2.16.0

    Suggestions for Fix

    Upgrading to latest official version (recommended)

    The current latest official version is log4j-core-2.16.0. You can upgrade the component or update the code to this version.

    Disabling lookup feature in Log4j

    Disabling in configuration file (recommended)

    Add the following content to the log4j2.component.properties configuration file (if it doesn't exist, manually create one) in classpath of Log4j 2.9.1 or later:

    log4j2.formatMsgNoLookups=True
    log4j.formatMsgNoLookups=True
    

    Add -Dlog4j2.formatMsgNoLookups=true and -Dlog4j.formatMsgNoLookups=true to the JVM startup parameters.

    Note:

    For versions 2.0–2.10, you should upgrade them to 2.10 or later first and then add JVM parameters.

    Upgrading JDK to later versions (recommended)

    As JDK on a later version has some security limits, we recommend you upgrade JDK to 6u211, 7u201, 8u191, or 11.0.1 or later. This can block vulnerability exploit methods such as JNDI to a certain extent.

    Other temporary mitigation measures

    You can use a firewall or security group to prohibit relevant applications and businesses from actively connecting to the public network.

    Tencent Security Solution

    Tencent Cloud WAF can detect and block attacks exploiting the Log4j 2 RCE vulnerability.

    References

    For more information, see Apache Log4j Security Vulnerabilities.

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support