By Sriram Sanka

  • Total Blog Hits

    • 95,571 hits
  • $riram $anka


    The experiences, Test cases, views, and opinions etc expressed in this website are my own and does not reflect the views or opinions of my employer. This site is independent of and does not represent Oracle Corporation in any way. Oracle does not officially sponsor, approve, or endorse this site or its content.Product and company names mentioned in this website may be the trademarks of their respective owners.

  • Flag Counter
  • Enter your email address to follow this blog and receive notifications of new posts by email.

Log4j Zero-Day RCE (CVE-2021-44228) Vulnerability

Posted by Sriram Sanka on December 11, 2021


I came to know about this Critical Vulnerability last night, and below is actual info same as the original content/Post by REDHAT https://access.redhat.com/security/cve/cve-2021-44228, Posting this as it is as I thought Its more clear in their Page on their words.

Description

A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker’s JNDI LDAP server lookup.

Statement

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
  • A log statement in the endpoint that logs the attacker controlled data.

Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it is possible that log4j version 1.x is also affected by this vulnerability. The impact is still under investigation.

Mitigation

There are two possible mitigations for this flaw in versions from 2.10 to 2.14.1:
– Set the system property log4j2.formatMsgNoLookups to true, or
– Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`

Possible Workaround :

In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application.

Latest log4j API can be downloadable from https://logging.apache.org/log4j/2.x/download.html

Source :

https://access.redhat.com/security/cve/cve-2021-44228

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
Tales From A Lazy Fat DBA

Its all about Databases & their performance, troubleshooting & much more .... ¯\_(ツ)_/¯

Thinking Out Loud

Michael T. Dinh, Oracle DBA

Notes On Oracle

by Mehmet Eser

Oracle Diagnostician

Performance troubleshooting as exact science

deveshdba

get sum oracle stuffs

Data Warehousing with Oracle

Dani Schnider's Blog

ORASteps

Oracle DBA's Daily Work

DBAspaceblog.com

Welcome everyone!! The idea of this blog is to help the DBA in their daily tasks. Enjoy.

Anand's Data Stories

Learn. Share. Repeat.

Tanel Poder's blog: Core IT for geeks and pros

Oracle Performance Tuning, Troubleshooting, Internals

Yet Another OCM

Journey as an Oracle Certified Master

%d bloggers like this: