Apache Log4j Security Vulnerabilities (CVE-2021-44228)

Background

Apache Log4j Security Vulnerabilities (CVE-2021-44228) has been found.

Cyber attackers are making over a hundred attempts to exploit this critical security vulnerability in Java logging library Apache Log4j every minute.

This vulnerability allows attackers to install malware, steal user credentials, and more.

The Log4j flaw (also now known as "Log4Shell") is a zero-day vulnerability (CVE-2021-44228) that first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

Read More “Apache Log4j Security Vulnerabilities (CVE-2021-44228)”