Apache Log4j Vulnerability - What you need to know
On December 12th 2021 a vulnerability was identified in the Apache logging application – Log4j (v2.0 – 2.14). Please be aware that all Certero products whether provisioned on-premises or as SaaS, are not affected by this vulnerability. Certero can however, be used to rapidly identify systems that are.
What is the Apache Log4j Vulnerability?
Tracked as CVE-2021-44228 and classified as severe, this remote code execution (RCE) vulnerability allows an attacker to potentially gain access to systems via the Java logging library through the insertion of a malicious code string, which then allows them to do various malicious activities such as taking control, importing malware or harvesting data.
What is the Impact?
Log4j 2 is commonly used to log activity within applications and is included in Apache frameworks including:
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
- Apache Swift
Due to its widespread use, a substantial amount of systems are affected. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
Microsoft has stated that the bulk of attacks they have observed at this time have been ‘related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers’.
Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.
What can I do to mitigate the risk?
The UK National Cyber Security Centre has advised the following steps to mitigate the risk:
- If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
- If you are using an affected third-party application, ensure you keep the product updated to the latest version
- The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath
How Certero can help – Visibility
Application vendors are releasing patches or workarounds for their products so please ensure you follow individual manufacturer information to mitigate against the vulnerability.
Certero can be used to identify installations of Log4j on Linux devices by creating a dynamic group. Certero is able to identify systems where Apache is installed which can then be further interrogated for instances of vulnerable versions of Log4J. For assistance, please contact Certero through the Customer Center.
Certero’s Commitment to Security
Security remains of paramount importance to Certero, as demonstrated by maintaining both ISO 27001 and Cyber Essentials Plus Certification for all Certero products and services. Certero’s commitment to creating best-of-breed, secure solutions is baked-in to our development philosophy of keeping all solution development in-house within Certero and freeing customers from the burden and risks of legacy technology.