Web Application Firewall
- Release Notes and Announcements
- Product Announcement
- Security Advisory
- Product Introduction
- Purchase Guide
- Billing Overview
- Getting Started
- Operation Guide
- SaaS WAF Connection
- CLB WAF Connection
- Connect Via Instance Object
- Bot and Application Security
- Bot Settings
- Bot Management
- Bot Traffic Visibility
- Basic Security Configurations
- API Security Management
- Threat Operation
- Blocklist/Allowlist Protection Settings
- Statistics and Logs
- Practical Tutorial
- Bot Management
- API Security
- Integration
- API Documentation
- Making API Requests
- Asset Management APIs
- Protection Settings APIs
- Other APIs
- IP Management APIs
- Integration APIs
- Security Overview APIs
- FAQS
DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
Last updated: 2022-06-23 11:14:26
Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
Last updated: 2022-06-23 11:14:26
On December 9, 2021, Tencent Cloud Security Operations Center noticed that a severe code execution vulnerability (CVE-2021-44228) in Apache Log4j 2 was disclosed. Currently, Log4j 2 has released an official security announcement and safe version. Once the vulnerability is exploited, problems such as server intrusion can occur.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability Details
Apache Log4j 2 is a widely used open-source logging component. It substitutes for print statements such as
System.out in projects and is the most popular logging tool in Java.If Log4j 2 is used to process malicious data in certain scenarios, malicious code may be injected and executed.
Log4j 2 is used by many Java frameworks and applications as a third-party basic logging library. Your business may be attacked through this vulnerability if it uses Log4j 2 to output logs and the log content can be partially controlled by attackers. Therefore, this vulnerability also affects a high number of universal applications and components around the globe, such as:
Apache Struts 2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
Elasticsearch
Logstash
…
We recommend you check and upgrade all systems or applications that use the Log4j component in time.
Risk Level
High Risk
Vulnerability Risk
This vulnerability may be exploited by attackers to remotely execute arbitrary code.
Affected Versions
Apache Log4j 2.0–2.14.1
Safe Versions
Apache Log4j 2.16.0
Suggestions for Fix
Upgrading to latest official version (recommended)
The current latest official version is log4j-core-2.16.0. You can upgrade the component or update the code to this version.
Disabling lookup feature in Log4j
Disabling in configuration file (recommended)
Add the following content to the
log4j2.component.properties configuration file (if it doesn't exist, manually create one) in classpath of Log4j 2.9.1 or later:log4j2.formatMsgNoLookups=Truelog4j.formatMsgNoLookups=True
Disabling through JVM parameter configuration (not recommended as the configuration can be easily lost)
Add
-Dlog4j2.formatMsgNoLookups=true and -Dlog4j.formatMsgNoLookups=true to the JVM startup parameters.Note:
For versions 2.0–2.10, you should upgrade them to 2.10 or later first and then add JVM parameters.
Upgrading JDK to later versions (recommended)
As JDK on a later version has some security limits, we recommend you upgrade JDK to 6u211, 7u201, 8u191, or 11.0.1 or later. This can block vulnerability exploit methods such as JNDI to a certain extent.
Other temporary mitigation measures
You can use a firewall or security group to prohibit relevant applications and businesses from actively connecting to the public network.
Tencent Security Solution
References
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No