A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

11 December 2021 [NO.TCSA : 20211211-1-1-P]

PUBLISHED:
11 December 2021

A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

A remote code execution vulnerability was found in multiple versions of the Apache Log4j 2 library. The vulnerability was assigned with CVE-2021-44228. Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.

Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.

 

Affected Versions

  • All versions from 2.0-beta9 to 2.14.1

 

Mitigation

  • Ensure you update to version 2.15.0 or later If you are using the Log4j 2 library as a dependency within an application.
  • Ensure you keep the product updated to the latest version If you are using an affected third-party application.
  • The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN