A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

11 December 2021 [NO.TCSA : 20211211-1-1-P]

PUBLISHED:
11 December 2021

A Serious Remote Code Execution Flaw Found in Apache Log4j 2 Library

A remote code execution vulnerability was found in multiple versions of the Apache Log4j 2 library. The vulnerability was assigned with CVE-2021-44228. Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.

Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.

 

Affected Versions

  • All versions from 2.0-beta9 to 2.14.1

 

Mitigation

  • Ensure you update to version 2.15.0 or later If you are using the Log4j 2 library as a dependency within an application.
  • Ensure you keep the product updated to the latest version If you are using an affected third-party application.
  • The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN