2021-12-10 CVE-2021-44228 RCE 0-day exploit found in log4j
On December the 9th, a 0-day exploit in the popular Java logging library Apache Log4j 2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Many servers are vulnerable as this is a pretty popular logging system for Java-based applications.
Affected platforms
Any service that uses Apache Log4j >= 2.0-beta9 and <= 2.14.1.
How to patch it
The permanent mitigation is to upgrade Log4j to the latest version available. As of December the 13th, 2021, Version 2.16.0 was released and log4j-core.jar is available on Maven Central with the release notes. As of December the 17th, 2021, Version 2.17.0 was released with a less critical vulnerability but it is recommended to update all users to this one.
UPDATES:
- CVE-2021-45046 originally scored as a CVSS of 3.7 has been upgraded to a CVSS score of 9.0. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
- CVE-2021-45105. It has been scored as a CVSS of 7.5. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
Bitnami team is actively tracking and releasing any new application versions that ships a fixed version of Log4j for every format (virtual machines, containers, Helm charts) and for every supported Cloud Marketplace.
Do you have more questions? You can open an issue in this github repository. Our support team will be happy to help you there.