A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

11 December 2021 [NO.TCSA : 20211211-1-1-P]

PUBLISHED:
11 December 2021

A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

A remote code execution vulnerability was found in multiple versions of the Apache Log4j 2 library. The vulnerability was assigned with CVE-2021-44228. Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.

Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.

 

Affected Versions

  • All versions from 2.0-beta9 to 2.14.1

 

Mitigation

  • Ensure you update to version 2.15.0 or later If you are using the Log4j 2 library as a dependency within an application.
  • Ensure you keep the product updated to the latest version If you are using an affected third-party application.
  • The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.

Critical Linux Kernel Vulnerability Allows Unprivileged Local Users to Gain Root Privileges (CVE-2026-31431)

READ MORE READ MORE

Critical Microsoft SharePoint Flaw Exploitations in the Wild

READ MORE READ MORE
15 January 2025 [NO.TCSA : 20250115-1-1-E]

Auth Bypass Vulnerability Exploited in Wild to Hijack Fortinet Firewalls

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN