[Security Vulnerabilities] CVE-2021-44228-Log4Shell

Posted by DavidEugen on December 12, 2021 · 1 min read

[Security Vulnerabilities] CVE-2021-44228-Log4Shell

[Ref.1] Apache home

https://logging.apache.org/log4j/2.x/security.html

[Ref.2]

https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes

[Ref.3] Detection Rules:

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

[Ref.4] KISA Notes (South Korea)

https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389

=====================================================

[log4shell Update] - 2021.12.15

Fixed in Log4j 2.12.2 and Log4j 2.16.0

Mitigation

Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

https://lnkd.in/g-bv3WUE

← Previous Post Next Post