A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

PUBLISHED:
11 December 2021

A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

A remote code execution vulnerability was found in multiple versions of the Apache Log4j 2 library. The vulnerability was assigned with CVE-2021-44228. Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.

Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.

 

Affected Versions

• All versions from 2.0-beta9 to 2.14.1

 

Mitigation

• Ensure you update to version 2.15.0 or later If you are using the Log4j 2 library as a dependency within an application.
• Ensure you keep the product updated to the latest version If you are using an affected third-party application.
• The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.